chat
expand_more

Attackers Pose as University Support Team to Target Students

Higher education institutions continue to be prime targets for attack as cybercrimianls prey on unsuspecting students.
February 10, 2022

Higher education institutions continue to be prime targets for attack as cybercrimianls prey on unsuspecting students. In a recent attack uncovered by Abnormal, a credential phishing attacker impersonated the university support team to steal student credentials.

About the Credential Phishing Attack

Summary of Attack

  • Target: University Students

  • Platform: Outlook 365

  • Bypassed Secure Email Gateway: Yes

  • Payload: Phishing Link

  • Technique: Spoofed Internal Account

In this attack, cybercriminals attempted to spoof, or forge authentication, of a university support team email. Lucky for them, the secure email gateway (SEG) the university uses experienced an error in verifying sender credentials and allowed the malicious actor to pose as the support team in a way that is almost undetectable.

The attacker did this by including a subject line that contains what appears to be a benign password expiration notification coming from a legitimate university support team email domain. The body of the email contains a message stating that the password for the email account will expire later in the evening, a button which is connected to a link, and an urgent note stating that email may not be delivered if the account password is not verified. Finally, the footer contains the name of the distributing organization on campus: the IT support team.

university support email phishing attempt

After clicking on the link, recipients are directed to a simple web page containing a login prompt where the username is already filled in, a tactic typically used by attackers. The prompt contains the university name and logo and the name of a well-known security brand, Norton.

While this does not necessarily look like a Microsoft login page, the attackers are likely betting on the fact that students either may not know the difference, or may be too distracted to pay attention to these details.

University support fake signin page

After inputting the password to the email address, the user is informed that the password is invalid. However, behind the scenes, the password is collected by the attacker and will then be used later to access the compromised student account.

University support password invalid message

This attack appears to be basic in nature, but it is incredibly effective. Starting with the initial email, the malicious actor made a very convincing display of legitimacy. The use of the ‘Support Team’ name, the placement of the university name and logo, the inclusion of a well-known security brand, and the urgency in verifying the credentials all leads the student to take immediate action in order to avoid being locked out of his or her account.

With thousands of students needing access to email in order to complete their schoolwork, there is little doubt that a number of them could fall for this attack. And once the malicious actor has access to those passwords, there is little telling what additional damage could be done from within the accounts themselves. In fact, the attacker could use those credentials to access a number of university applications, programs, and personal information.

Why the Credential Phishing Attack Bypassed the SEG

This attack was successful in bypassing a popular secure email gateway used by the university. To do so, the attacker first sent identifying information of the university support team email to the university network servers from a location outside the university in an attempt to fool the server into thinking that the attacker was the legitimate owner of the compromised account. This act of forging authentication is known as spoofing.

Spoofing is typically detectable by secure email gateways, which identify and verify authentication information from senders. However, due to the extra steps taken by the attackers, the email bypassed the SEG, which grabbed the wrong credentials for means of authentication and allowed the email to be sent to recipients. This is typical of modern-day gateawys and stands as a testament to the importance of API solutions like Abnormal Security.

Despite the failure of the SEG, Abnormal Security was able to detect the attack at multiple levels, including the potentially spoofed sender email, and prevent the recipient from falling victim to the credential theft campaign.

University support phishing attempt Abnormal analysis

Even though this attack was observed at this particular university, there is nothing stopping attackers from branching out into other vulnerable locations where unsuspecting students, faculty, and auxiliary systems could become potential victims. It is critically important to be aware of the errors that come with SEGs and be prepared to employ innovative API technology in preventing these attacks—a critical change that could help students and faculty alike.

To learn more about how Abnormal stops this attack and those like it,request a demo of the platform today.

Attackers Pose as University Support Team to Target Students

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

 
Integrates Insights Reporting 09 08 22

Related Posts

B Most Interesting Attacks Q1 2024
Take a look at five of the most unique and sophisticated email attacks recently detected and stopped by Abnormal.
Read More
B MKT499 Images for Customer Blog Series
Discover key industry trends and insights from cybersecurity leader Michael Marassa, CTO of New Trier Township High School District 203.
Read More
B Construction Professional Services QR Code Attacks
Abnormal data shows construction firms and professional service providers are up to 19.2 times and 18.5 times, respectively, more likely to receive QR code attacks than organizations in other industries.
Read More
B 1500x1500 Evolving Abnormal R2
From the beginning, we created Abnormal Security to be a generational company that protects people from cybercrime. Here’s how we’re doing it.
Read More
Blog Cover 1500x1500 Images for SOC Time Blog
Discover the critical tasks that occupy SOC analysts’ schedules beyond mere inbox management, and discover insights into optimizing efficiency in cybersecurity operations.
Read More
B 1500x1500 MKT494 Top Women in Cybersecurity
In honor of Women's History Month, we're spotlighting 10 women leaders who are making invaluable contributions to cybersecurity.
Read More