chat
expand_more

Unsuspecting School District Faculty Targeted by Credential Theft Campaign

No one wants to receive an email from human resources that they aren’t expecting. After all, that usually means bad news. And when we think there may be bad news, cybersecurity training tends to fall by the wayside. Threat actors know this, and they’re taking advantage of human emotions.
September 7, 2021

No one wants to receive an email from human resources that they aren’t expecting. After all, that usually means bad news. And when we think there may be bad news, cybersecurity training tends to fall by the wayside.

Threat actors know this, and they’re taking advantage of human emotions. Our most recent example comes from a school district, where attackers compromised one account and then used that account to launch additional attacks on the victim’s coworkers. Using urgent language and a phishing link, this campaign was an attempt to gain credentials to additional email accounts.

Summary of Attack Target

  • Target: Public School District
  • Platform: Office 365
  • Victims: Faculty and Staff
  • Payload: Urgent Message with Phishing Link
  • Technique: Credential Theft

About the Credential Phishing Attack

Prior to this attack, cybercriminals gained access to the mailbox of a faculty member at an independent school district. Once inside the inbox, they sent an urgent message en masse to other faculty members.

While the method utilized to compromise the email account is unknown, it could be a result of brute force attacks in which cybercriminals target specific accounts and programmatically test character combinations to determine the account password. Among our customers, we saw this type of attack grow by 160% on average over the second quarter of 2021.

Once attackers have the right password and can access the mailbox, they can use that email address to send attacks on others within the organization. This east-west traffic often isn’t inspected by traditional email security infrastructure, making these internal attacks extremely effective.

In the first email, the attackers used vocabulary indicative of urgency with buzzwords including important and HR. Despite the fact that the compromised account did not belong to a HR professional, the attackers believed that people may still click on the link if they included that in the subject line.

Faculty docusign email

The body of the message mimics the design of DocuSign—a well-known, legitimate brand that the faculty members are familiar with. It also includes a short message indicating that the recipient has a message from Human Resources and they must click the link to review the document.

The message includes a footer indicating that the HR Department is responsible for the distribution of the message and a copyright boilerplate for added legitimacy of the message.

Once the recipient clicks on the DocuSign link, they are redirected to an Adobe webpage, where they must input credentials to gain access to the message.

Faculty adobe landing

A careful user will note that this web page has the name and image of a different popular brand—the link leads to an Adobe page, which has no partnership with Docusign. This may be cause for concern for some, but cybercriminals are counting on users who are so invested in reading the important note from HR that they won’t notice the discrepancy.

Once credentials are entered, the user receives an error message stating that they are not able to view the PDF file.

Faculty adobe error

The error message states that they need to re-enter their information, but the page quickly redirects to the actual products page of Adobe Creative Cloud, leaving faculty confused about why they provided their credentials.

Despite the misuse of the article ‘the’ in both the header and body of the message, this email is very convincing, relying on emotion to spark action. In addition to referencing an important department in the organization, the attack originates from a compromised account of a legitimate faculty member, creating a convincing front against unsuspecting recipients.

Why the Attack Bypassed Existing Security Infrastructure

This attack is particularly effective due to the simplistic nature of the message, the use of the names and images of well known brands/products, the increased sense of urgency, and because it was sent from a legitimate email address within the school district. Timing was also beneficial for the attackers, as this was sent in early August—right at the beginning of the school year when faculty would be checking their email. All of these factors combine to create a rather convincing facade of safety for recipients, especially in an organization where nobody is a stranger.

Once the attacker had login credentials, he may have gained access to other services within the school district, including financial records, personal information of students, grading systems, school applications, and other data that shouldn’t be accessed by anyone other than the faculty members.

However, because Abnormal noticed suspicious login activity and then an immediate blast of malicious emails across east-west traffic, we were able to identify and remediate these attacks.

Faculty abnormal analysis

Despite the initial compromise not occurring via email, the attackers attempted to take advantage of their access to gain a further foothold into the school district. Current trends indicate that these internal-to-internal attacks are likely to continue, particularly as the number of brute force attacks rises.

Without proper precautions, including an email security system that can detect account takeovers and internal malicious activity, this school district could have experienced severe consequences. Luckily for those involved, it resulted only in a few password updates.

Interested in seeing how Abnormal can detect and remediate account takeovers for your employees? Request a demo for full details.

Unsuspecting School District Faculty Targeted by Credential Theft Campaign

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story Blog 8
A Fortune 500 transportation and logistics leader blocked more than 6,700 attacks missed by Proofpoint and reclaimed 350 SOC hours per month by adding Abnormal to its security stack.
Read More
B Gartner MQ 2024 Announcement Blog
Abnormal Security was named a Leader in the 2024 Gartner Magic Quadrant for Email Security Platforms and positioned furthest for Completeness of Vision.
Read More
B Gift Card Scams Tricker to Spot Blog
Learn why gift card scams are becoming more difficult to identify, how cybercriminals evolve their tactics, and strategies to protect your organization.
Read More
B Offensive AI 12 16 24
Learn how AI is used in cybersecurity, what defensive AI vs. offensive AI means, and how to use defensive AI to combat offensive AI.
Read More
B Proofpoint Customer Story Blog 7
See how Abnormal's AI helped a Fortune 500 insurance provider detect 27,847 threats missed by Proofpoint and save 6,600+ hours in employee productivity.
Read More
B Cyberattack Forecast Emerging Threats Blog
Uncover the latest email threats and strategies to strengthen your cybersecurity and prepare for 2025.
Read More