Unsuspecting School District Faculty Targeted by Credential Theft Campaign

September 7, 2021

No one wants to receive an email from human resources that they aren’t expecting. After all, that usually means bad news. And when we think there may be bad news, cybersecurity training tends to fall by the wayside.

Threat actors know this, and they’re taking advantage of human emotions. Our most recent example comes from a school district, where attackers compromised one account and then used that account to launch additional attacks on the victim’s coworkers. Using urgent language and a phishing link, this campaign was an attempt to gain credentials to additional email accounts.

Summary of Attack Target

  • Target: Public School District
  • Platform: Office 365
  • Victims: Faculty and Staff
  • Payload: Urgent Message with Phishing Link
  • Technique: Credential Theft

About the Credential Phishing Attack

Prior to this attack, cybercriminals gained access to the mailbox of a faculty member at an independent school district. Once inside the inbox, they sent an urgent message en masse to other faculty members.

While the method utilized to compromise the email account is unknown, it could be a result of brute force attacks in which cybercriminals target specific accounts and programmatically test character combinations to determine the account password. Among our customers, we saw this type of attack grow by 160% on average over the second quarter of 2021.

Once attackers have the right password and can access the mailbox, they can use that email address to send attacks on others within the organization. This east-west traffic often isn’t inspected by traditional email security infrastructure, making these internal attacks extremely effective.

In the first email, the attackers used vocabulary indicative of urgency with buzzwords including important and HR. Despite the fact that the compromised account did not belong to a HR professional, the attackers believed that people may still click on the link if they included that in the subject line.

Faculty docusign email

The body of the message mimics the design of DocuSign—a well-known, legitimate brand that the faculty members are familiar with. It also includes a short message indicating that the recipient has a message from Human Resources and they must click the link to review the document.

The message includes a footer indicating that the HR Department is responsible for the distribution of the message and a copyright boilerplate for added legitimacy of the message.

Once the recipient clicks on the DocuSign link, they are redirected to an Adobe webpage, where they must input credentials to gain access to the message.

Faculty adobe landing

A careful user will note that this web page has the name and image of a different popular brand—the link leads to an Adobe page, which has no partnership with Docusign. This may be cause for concern for some, but cybercriminals are counting on users who are so invested in reading the important note from HR that they won’t notice the discrepancy.

Once credentials are entered, the user receives an error message stating that they are not able to view the PDF file.

Faculty adobe error

The error message states that they need to re-enter their information, but the page quickly redirects to the actual products page of Adobe Creative Cloud, leaving faculty confused about why they provided their credentials.

Despite the misuse of the article ‘the’ in both the header and body of the message, this email is very convincing, relying on emotion to spark action. In addition to referencing an important department in the organization, the attack originates from a compromised account of a legitimate faculty member, creating a convincing front against unsuspecting recipients.

Why the Attack Bypassed Existing Security Infrastructure

This attack is particularly effective due to the simplistic nature of the message, the use of the names and images of well known brands/products, the increased sense of urgency, and because it was sent from a legitimate email address within the school district. Timing was also beneficial for the attackers, as this was sent in early August—right at the beginning of the school year when faculty would be checking their email. All of these factors combine to create a rather convincing facade of safety for recipients, especially in an organization where nobody is a stranger.

Once the attacker had login credentials, he may have gained access to other services within the school district, including financial records, personal information of students, grading systems, school applications, and other data that shouldn’t be accessed by anyone other than the faculty members.

However, because Abnormal noticed suspicious login activity and then an immediate blast of malicious emails across east-west traffic, we were able to identify and remediate these attacks.

Faculty abnormal analysis

Despite the initial compromise not occurring via email, the attackers attempted to take advantage of their access to gain a further foothold into the school district. Current trends indicate that these internal-to-internal attacks are likely to continue, particularly as the number of brute force attacks rises.

Without proper precautions, including an email security system that can detect account takeovers and internal malicious activity, this school district could have experienced severe consequences. Luckily for those involved, it resulted only in a few password updates.

Interested in seeing how Abnormal can detect and remediate account takeovers for your employees? Request a demo for full details.

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 1500x1500 Gartner Peer Insights Reviews blog
The Abnormal Security team is committed to providing the best possible solution and support experience to every customer. Here’s what a few of our customers have to say about us.
Read More
B Podcast Engineering 10 07 27 22
In episode 10 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, sits down with Zehan Wang, co-founder of Magic Pony.
Read More
B 1500x1500 Email Attack Insights
Join us for a three-part webinar series about the most serious email-based threats, featuring some of the biggest names in cybersecurity.
Read More
B 07 22 22 Webinar Recap
Credential phishing attacks can lead to loss of revenue, loss of data, and long-term reputational damage. Learn why these attacks are successful and how to block them.
Read More
B 07 19 22 2022 Email Security Trends 1
Our new survey explores the current email threat landscape and what security leaders are doing to stay ahead of increasingly sophisticated attacks.
Read More
B 07 14 22 4types
Understanding the ways cybercriminals execute financial supply chain compromise is key to preventing your organization from falling victim to an attack.
Read More
B 07 07 22 Financial Supply Chain Compromise
Financial supply chain compromise, a subset of business email compromise (BEC), is on the rise. Learn how threat actors launch these sophisticated attacks.
Read More
B 06 15 22 Coats Webinar Recap Blog
Learn why Coats, the global leader in industrial thread manufacturing, skipped the SEG and chose Abnormal Integrated Cloud Email Security (ICES) to protect its workforce from modern email threats.
Read More
B 07 30 22 Q2 2022
We’re dedicated to keeping security professionals informed about the latest email threats. Here are a few of our favorite blog posts from Q2 2022.
Read More
B 06 21 22 Threat Intel blog
Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.
Read More
B 06 7 22 Disentangling ML Pipelines Blog
Learn how explicitly modeling dependencies in a machine learning pipeline can vastly reduce its complexity and make it behave like a tower of Legos: easy to change, and hard to break.
Read More
B 04 07 22 SEG
As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?
Read More