SANS has shared the indicators of compromise for a recent phishing attack that compromised one of their email accounts and led to a data breach. SANS says the attack started with a phishing email pretending to be a file shared by a SANS SharePoint service. The site is no longer active, recipients of this phishing scam had tested this site using the Any.Run and JoeSandBox services. If a matching keyword was found in an email, the email would be forwarded to an external address of ‘daemon [@] daemongr5yenh53ci0w6cjbbh1gy1l61fxpd.com’
Source: https://www.bleepingcomputer.com/news/security/sans-shares-details-on-attack-that-led-to-their-data-breach/