Attackers Pose as University Support Team to Target Students

February 10, 2022

Higher education institutions continue to be prime targets for attack as cybercrimianls prey on unsuspecting students. In a recent attack uncovered by Abnormal, a credential phishing attacker impersonated the university support team to steal student credentials.

About the Credential Phishing Attack

Summary of Attack

  • Target: University Students

  • Platform: Outlook 365

  • Bypassed Secure Email Gateway: Yes

  • Payload: Phishing Link

  • Technique: Spoofed Internal Account

In this attack, cybercriminals attempted to spoof, or forge authentication, of a university support team email. Lucky for them, the secure email gateway (SEG) the university uses experienced an error in verifying sender credentials and allowed the malicious actor to pose as the support team in a way that is almost undetectable.

The attacker did this by including a subject line that contains what appears to be a benign password expiration notification coming from a legitimate university support team email domain. The body of the email contains a message stating that the password for the email account will expire later in the evening, a button which is connected to a link, and an urgent note stating that email may not be delivered if the account password is not verified. Finally, the footer contains the name of the distributing organization on campus: the IT support team.

university support email phishing attempt

After clicking on the link, recipients are directed to a simple web page containing a login prompt where the username is already filled in, a tactic typically used by attackers. The prompt contains the university name and logo and the name of a well-known security brand, Norton.

While this does not necessarily look like a Microsoft login page, the attackers are likely betting on the fact that students either may not know the difference, or may be too distracted to pay attention to these details.

University support fake signin page

After inputting the password to the email address, the user is informed that the password is invalid. However, behind the scenes, the password is collected by the attacker and will then be used later to access the compromised student account.

University support password invalid message

This attack appears to be basic in nature, but it is incredibly effective. Starting with the initial email, the malicious actor made a very convincing display of legitimacy. The use of the ‘Support Team’ name, the placement of the university name and logo, the inclusion of a well-known security brand, and the urgency in verifying the credentials all leads the student to take immediate action in order to avoid being locked out of his or her account.

With thousands of students needing access to email in order to complete their schoolwork, there is little doubt that a number of them could fall for this attack. And once the malicious actor has access to those passwords, there is little telling what additional damage could be done from within the accounts themselves. In fact, the attacker could use those credentials to access a number of university applications, programs, and personal information.

Why the Credential Phishing Attack Bypassed the SEG

This attack was successful in bypassing a popular secure email gateway used by the university. To do so, the attacker first sent identifying information of the university support team email to the university network servers from a location outside the university in an attempt to fool the server into thinking that the attacker was the legitimate owner of the compromised account. This act of forging authentication is known as spoofing.

Spoofing is typically detectable by secure email gateways, which identify and verify authentication information from senders. However, due to the extra steps taken by the attackers, the email bypassed the SEG, which grabbed the wrong credentials for means of authentication and allowed the email to be sent to recipients. This is typical of modern-day gateawys and stands as a testament to the importance of API solutions like Abnormal Security.

Despite the failure of the SEG, Abnormal Security was able to detect the attack at multiple levels, including the potentially spoofed sender email, and prevent the recipient from falling victim to the credential theft campaign.

University support phishing attempt Abnormal analysis

Even though this attack was observed at this particular university, there is nothing stopping attackers from branching out into other vulnerable locations where unsuspecting students, faculty, and auxiliary systems could become potential victims. It is critically important to be aware of the errors that come with SEGs and be prepared to employ innovative API technology in preventing these attacks—a critical change that could help students and faculty alike.

To learn more about how Abnormal stops this attack and those like it,request a demo of the platform today.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 10 3 22 Cobalt Terrapin Blog
Threat group Cobalt Terrapin uses sophisticated impersonation techniques with multiple steps to commit invoice fraud.
Read More
B 09 29 22 CISO Cybersecurity Awareness Month
October is here, which means Cybersecurity Awareness Month is officially in full swing! These five tips can help security leaders take full advantage of the month.
Read More
B Email Security Challenges Blog 09 26 22
Understanding common email security challenges caused by your legacy technology will help you determine the best solution to improve your security posture.
Read More
B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More