Unsuspecting School District Faculty Targeted by Credential Theft Campaign

No one wants to receive an email from human resources that they aren’t expecting. After all, that usually means bad news. And when we think there may be bad news, cybersecurity training tends to fall by the wayside.

Threat actors know this, and they’re taking advantage of human emotions. Our most recent example comes from a school district, where attackers compromised one account and then used that account to launch additional attacks on the victim’s coworkers. Using urgent language and a phishing link, this campaign was an attempt to gain credentials to additional email accounts.

• Target: Public School District
• Platform: Office 365
• Victims: Faculty and Staff
• Payload: Urgent Message with Phishing Link
• Technique: Credential Theft

Prior to this attack, cybercriminals gained access to the mailbox of a faculty member at an independent school district. Once inside the inbox, they sent an urgent message en masse to other faculty members.

While the method utilized to compromise the email account is unknown, it could be a result of brute force attacks in which cybercriminals target specific accounts and programmatically test character combinations to determine the account password. Among our customers, we saw this type of attack grow by 160% on average over the second quarter of 2021.

Once attackers have the right password and can access the mailbox, they can use that email address to send attacks on others within the organization. This east-west traffic often isn’t inspected by traditional email security infrastructure, making these internal attacks extremely effective.

In the first email, the attackers used vocabulary indicative of urgency with buzzwords including important and HR. Despite the fact that the compromised account did not belong to a HR professional, the attackers believed that people may still click on the link if they included that in the subject line.

The body of the message mimics the design of DocuSign—a well-known, legitimate brand that the faculty members are familiar with. It also includes a short message indicating that the recipient has a message from Human Resources and they must click the link to review the document.

The message includes a footer indicating that the HR Department is responsible for the distribution of the message and a copyright boilerplate for added legitimacy of the message.

Once the recipient clicks on the DocuSign link, they are redirected to an Adobe webpage, where they must input credentials to gain access to the message.

A careful user will note that this web page has the name and image of a different popular brand—the link leads to an Adobe page, which has no partnership with Docusign. This may be cause for concern for some, but cybercriminals are counting on users who are so invested in reading the important note from HR that they won’t notice the discrepancy.

Once credentials are entered, the user receives an error message stating that they are not able to view the PDF file.

The error message states that they need to re-enter their information, but the page quickly redirects to the actual products page of Adobe Creative Cloud, leaving faculty confused about why they provided their credentials.

Despite the misuse of the article ‘the’ in both the header and body of the message, this email is very convincing, relying on emotion to spark action. In addition to referencing an important department in the organization, the attack originates from a compromised account of a legitimate faculty member, creating a convincing front against unsuspecting recipients.

This attack is particularly effective due to the simplistic nature of the message, the use of the names and images of well known brands/products, the increased sense of urgency, and because it was sent from a legitimate email address within the school district. Timing was also beneficial for the attackers, as this was sent in early August—right at the beginning of the school year when faculty would be checking their email. All of these factors combine to create a rather convincing facade of safety for recipients, especially in an organization where nobody is a stranger.

Once the attacker had login credentials, he may have gained access to other services within the school district, including financial records, personal information of students, grading systems, school applications, and other data that shouldn’t be accessed by anyone other than the faculty members.

However, because Abnormal noticed suspicious login activity and then an immediate blast of malicious emails across east-west traffic, we were able to identify and remediate these attacks.

Despite the initial compromise not occurring via email, the attackers attempted to take advantage of their access to gain a further foothold into the school district. Current trends indicate that these internal-to-internal attacks are likely to continue, particularly as the number of brute force attacks rises.

Without proper precautions, including an email security system that can detect account takeovers and internal malicious activity, this school district could have experienced severe consequences. Luckily for those involved, it resulted only in a few password updates.

Interested in seeing how Abnormal can detect and remediate account takeovers for your employees? Request a demo for full details.