chat
expand_more

Unsuspecting School District Faculty Targeted by Credential Theft Campaign

No one wants to receive an email from human resources that they aren’t expecting. After all, that usually means bad news. And when we think there may be bad news, cybersecurity training tends to fall by the wayside. Threat actors know this, and they’re taking advantage of human emotions.
September 7, 2021

No one wants to receive an email from human resources that they aren’t expecting. After all, that usually means bad news. And when we think there may be bad news, cybersecurity training tends to fall by the wayside.

Threat actors know this, and they’re taking advantage of human emotions. Our most recent example comes from a school district, where attackers compromised one account and then used that account to launch additional attacks on the victim’s coworkers. Using urgent language and a phishing link, this campaign was an attempt to gain credentials to additional email accounts.

Summary of Attack Target

  • Target: Public School District
  • Platform: Office 365
  • Victims: Faculty and Staff
  • Payload: Urgent Message with Phishing Link
  • Technique: Credential Theft

About the Credential Phishing Attack

Prior to this attack, cybercriminals gained access to the mailbox of a faculty member at an independent school district. Once inside the inbox, they sent an urgent message en masse to other faculty members.

While the method utilized to compromise the email account is unknown, it could be a result of brute force attacks in which cybercriminals target specific accounts and programmatically test character combinations to determine the account password. Among our customers, we saw this type of attack grow by 160% on average over the second quarter of 2021.

Once attackers have the right password and can access the mailbox, they can use that email address to send attacks on others within the organization. This east-west traffic often isn’t inspected by traditional email security infrastructure, making these internal attacks extremely effective.

In the first email, the attackers used vocabulary indicative of urgency with buzzwords including important and HR. Despite the fact that the compromised account did not belong to a HR professional, the attackers believed that people may still click on the link if they included that in the subject line.

Faculty docusign email

The body of the message mimics the design of DocuSign—a well-known, legitimate brand that the faculty members are familiar with. It also includes a short message indicating that the recipient has a message from Human Resources and they must click the link to review the document.

The message includes a footer indicating that the HR Department is responsible for the distribution of the message and a copyright boilerplate for added legitimacy of the message.

Once the recipient clicks on the DocuSign link, they are redirected to an Adobe webpage, where they must input credentials to gain access to the message.

Faculty adobe landing

A careful user will note that this web page has the name and image of a different popular brand—the link leads to an Adobe page, which has no partnership with Docusign. This may be cause for concern for some, but cybercriminals are counting on users who are so invested in reading the important note from HR that they won’t notice the discrepancy.

Once credentials are entered, the user receives an error message stating that they are not able to view the PDF file.

Faculty adobe error

The error message states that they need to re-enter their information, but the page quickly redirects to the actual products page of Adobe Creative Cloud, leaving faculty confused about why they provided their credentials.

Despite the misuse of the article ‘the’ in both the header and body of the message, this email is very convincing, relying on emotion to spark action. In addition to referencing an important department in the organization, the attack originates from a compromised account of a legitimate faculty member, creating a convincing front against unsuspecting recipients.

Why the Attack Bypassed Existing Security Infrastructure

This attack is particularly effective due to the simplistic nature of the message, the use of the names and images of well known brands/products, the increased sense of urgency, and because it was sent from a legitimate email address within the school district. Timing was also beneficial for the attackers, as this was sent in early August—right at the beginning of the school year when faculty would be checking their email. All of these factors combine to create a rather convincing facade of safety for recipients, especially in an organization where nobody is a stranger.

Once the attacker had login credentials, he may have gained access to other services within the school district, including financial records, personal information of students, grading systems, school applications, and other data that shouldn’t be accessed by anyone other than the faculty members.

However, because Abnormal noticed suspicious login activity and then an immediate blast of malicious emails across east-west traffic, we were able to identify and remediate these attacks.

Faculty abnormal analysis

Despite the initial compromise not occurring via email, the attackers attempted to take advantage of their access to gain a further foothold into the school district. Current trends indicate that these internal-to-internal attacks are likely to continue, particularly as the number of brute force attacks rises.

Without proper precautions, including an email security system that can detect account takeovers and internal malicious activity, this school district could have experienced severe consequences. Luckily for those involved, it resulted only in a few password updates.

Interested in seeing how Abnormal can detect and remediate account takeovers for your employees? Request a demo for full details.

Unsuspecting School District Faculty Targeted by Credential Theft Campaign

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Dropbox Open Enrollment Attack Blog
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
Read More
B AISOC
Discover how AI is transforming security operation centers by reducing noise, enhancing clarity, and empowering analysts with enriched data for faster threat detection and response.
Read More
B Microsoft Blog
Explore the latest cybersecurity insights from Microsoft’s 2024 Digital Defense Report. Discover next-gen security strategies, AI-driven defenses, and critical approaches to counter evolving threats and safeguard your organization.
Read More
B Osterman Blog
Explore five key insights from Osterman Research on how AI-driven tools are revolutionizing defensive cybersecurity by enhancing threat detection, boosting security team efficiency, and countering sophisticated cyberattacks.
Read More
B AI Native Vendors
Explore how AI-native security like Abnormal fights back against AI-powered cyberattacks, protecting your organization from human-targeted threats.
Read More
B 2024 ISC2 Cybersecurity Workforce Study Recap
Explore key findings from the 2024 ISC2 Cybersecurity Workforce Study and find out how SOC teams can adapt and thrive amidst modern challenges.
Read More