Attackers Pose as University Support Team to Target Students

February 10, 2022

Higher education institutions continue to be prime targets for attack as cybercrimianls prey on unsuspecting students. In a recent attack uncovered by Abnormal, a credential phishing attacker impersonated the university support team to steal student credentials.

About the Credential Phishing Attack

Summary of Attack

  • Target: University Students

  • Platform: Outlook 365

  • Bypassed Secure Email Gateway: Yes

  • Payload: Phishing Link

  • Technique: Spoofed Internal Account

In this attack, cybercriminals attempted to spoof, or forge authentication, of a university support team email. Lucky for them, the secure email gateway (SEG) the university uses experienced an error in verifying sender credentials and allowed the malicious actor to pose as the support team in a way that is almost undetectable.

The attacker did this by including a subject line that contains what appears to be a benign password expiration notification coming from a legitimate university support team email domain. The body of the email contains a message stating that the password for the email account will expire later in the evening, a button which is connected to a link, and an urgent note stating that email may not be delivered if the account password is not verified. Finally, the footer contains the name of the distributing organization on campus: the IT support team.

university support email phishing attempt

After clicking on the link, recipients are directed to a simple web page containing a login prompt where the username is already filled in, a tactic typically used by attackers. The prompt contains the university name and logo and the name of a well-known security brand, Norton.

While this does not necessarily look like a Microsoft login page, the attackers are likely betting on the fact that students either may not know the difference, or may be too distracted to pay attention to these details.

University support fake signin page

After inputting the password to the email address, the user is informed that the password is invalid. However, behind the scenes, the password is collected by the attacker and will then be used later to access the compromised student account.

University support password invalid message

This attack appears to be basic in nature, but it is incredibly effective. Starting with the initial email, the malicious actor made a very convincing display of legitimacy. The use of the ‘Support Team’ name, the placement of the university name and logo, the inclusion of a well-known security brand, and the urgency in verifying the credentials all leads the student to take immediate action in order to avoid being locked out of his or her account.

With thousands of students needing access to email in order to complete their schoolwork, there is little doubt that a number of them could fall for this attack. And once the malicious actor has access to those passwords, there is little telling what additional damage could be done from within the accounts themselves. In fact, the attacker could use those credentials to access a number of university applications, programs, and personal information.

Why the Credential Phishing Attack Bypassed the SEG

This attack was successful in bypassing a popular secure email gateway used by the university. To do so, the attacker first sent identifying information of the university support team email to the university network servers from a location outside the university in an attempt to fool the server into thinking that the attacker was the legitimate owner of the compromised account. This act of forging authentication is known as spoofing.

Spoofing is typically detectable by secure email gateways, which identify and verify authentication information from senders. However, due to the extra steps taken by the attackers, the email bypassed the SEG, which grabbed the wrong credentials for means of authentication and allowed the email to be sent to recipients. This is typical of modern-day gateawys and stands as a testament to the importance of API solutions like Abnormal Security.

Despite the failure of the SEG, Abnormal Security was able to detect the attack at multiple levels, including the potentially spoofed sender email, and prevent the recipient from falling victim to the credential theft campaign.

University support phishing attempt Abnormal analysis

Even though this attack was observed at this particular university, there is nothing stopping attackers from branching out into other vulnerable locations where unsuspecting students, faculty, and auxiliary systems could become potential victims. It is critically important to be aware of the errors that come with SEGs and be prepared to employ innovative API technology in preventing these attacks—a critical change that could help students and faculty alike.

To learn more about how Abnormal stops this attack and those like it,request a demo of the platform today.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More
B 05 17 22 Impersonation Attack
See how threat actors used a single mailbox compromise and spoofed domains to subtly impersonate individuals and businesses to coerce victims to pay fraudulent vendor invoices.
Read More
B 05 14 22 Best Workplace
We are over the moon to announce Abnormal has been named one of Inc. Magazine's Best Workplaces of 2022! Learn more about our commitment to our workforce.
Read More
B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More