The SANS Institute is attributing a data breach that exposed roughly 28,000 records containing personally identifiable information to a malicious Office 365 add-on, which caused an employee’s email account to automatically forward emails to an attacker’s address.