Unsuspecting School District Faculty Targeted by Credential Theft Campaign

September 7, 2021

No one wants to receive an email from human resources that they aren’t expecting. After all, that usually means bad news. And when we think there may be bad news, cybersecurity training tends to fall by the wayside.

Threat actors know this, and they’re taking advantage of human emotions. Our most recent example comes from a school district, where attackers compromised one account and then used that account to launch additional attacks on the victim’s coworkers. Using urgent language and a phishing link, this campaign was an attempt to gain credentials to additional email accounts.

Summary of Attack Target

  • Target: Public School District
  • Platform: Office 365
  • Victims: Faculty and Staff
  • Payload: Urgent Message with Phishing Link
  • Technique: Credential Theft

About the Credential Phishing Attack

Prior to this attack, cybercriminals gained access to the mailbox of a faculty member at an independent school district. Once inside the inbox, they sent an urgent message en masse to other faculty members.

While the method utilized to compromise the email account is unknown, it could be a result of brute force attacks in which cybercriminals target specific accounts and programmatically test character combinations to determine the account password. Among our customers, we saw this type of attack grow by 160% on average over the second quarter of 2021.

Once attackers have the right password and can access the mailbox, they can use that email address to send attacks on others within the organization. This east-west traffic often isn’t inspected by traditional email security infrastructure, making these internal attacks extremely effective.

In the first email, the attackers used vocabulary indicative of urgency with buzzwords including important and HR. Despite the fact that the compromised account did not belong to a HR professional, the attackers believed that people may still click on the link if they included that in the subject line.

Faculty docusign email

The body of the message mimics the design of DocuSign—a well-known, legitimate brand that the faculty members are familiar with. It also includes a short message indicating that the recipient has a message from Human Resources and they must click the link to review the document.

The message includes a footer indicating that the HR Department is responsible for the distribution of the message and a copyright boilerplate for added legitimacy of the message.

Once the recipient clicks on the DocuSign link, they are redirected to an Adobe webpage, where they must input credentials to gain access to the message.

Faculty adobe landing

A careful user will note that this web page has the name and image of a different popular brand—the link leads to an Adobe page, which has no partnership with Docusign. This may be cause for concern for some, but cybercriminals are counting on users who are so invested in reading the important note from HR that they won’t notice the discrepancy.

Once credentials are entered, the user receives an error message stating that they are not able to view the PDF file.

Faculty adobe error

The error message states that they need to re-enter their information, but the page quickly redirects to the actual products page of Adobe Creative Cloud, leaving faculty confused about why they provided their credentials.

Despite the misuse of the article ‘the’ in both the header and body of the message, this email is very convincing, relying on emotion to spark action. In addition to referencing an important department in the organization, the attack originates from a compromised account of a legitimate faculty member, creating a convincing front against unsuspecting recipients.

Why the Attack Bypassed Existing Security Infrastructure

This attack is particularly effective due to the simplistic nature of the message, the use of the names and images of well known brands/products, the increased sense of urgency, and because it was sent from a legitimate email address within the school district. Timing was also beneficial for the attackers, as this was sent in early August—right at the beginning of the school year when faculty would be checking their email. All of these factors combine to create a rather convincing facade of safety for recipients, especially in an organization where nobody is a stranger.

Once the attacker had login credentials, he may have gained access to other services within the school district, including financial records, personal information of students, grading systems, school applications, and other data that shouldn’t be accessed by anyone other than the faculty members.

However, because Abnormal noticed suspicious login activity and then an immediate blast of malicious emails across east-west traffic, we were able to identify and remediate these attacks.

Faculty abnormal analysis

Despite the initial compromise not occurring via email, the attackers attempted to take advantage of their access to gain a further foothold into the school district. Current trends indicate that these internal-to-internal attacks are likely to continue, particularly as the number of brute force attacks rises.

Without proper precautions, including an email security system that can detect account takeovers and internal malicious activity, this school district could have experienced severe consequences. Luckily for those involved, it resulted only in a few password updates.

Interested in seeing how Abnormal can detect and remediate account takeovers for your employees? Request a demo for full details.

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More
B Podcast Engineering8
In episode 8 of Abnormal Engineering Stories, Kevin interviews Saminda Wijegunawardena, an engineering leader who is no stranger to fast-growing enterprise startups.
Read More
B 04 04 22 Webinar Recap Krebs
High-impact emails are on the rise and secure email gateways (SEGs) don’t have the functionality to mitigate them. Learn how your SEG is letting you down.
Read More
B 04 19 22 Facebook Phishing
While phishing emails have long been a popular way to steal Facebook login credentials, we’ve recently seen an increase in more sophisticated phishing attacks.
Read More