Attackers Pose as University Support Team to Target Students

Higher education institutions continue to be prime targets for attack as cybercrimianls prey on unsuspecting students.
February 10, 2022

Higher education institutions continue to be prime targets for attack as cybercrimianls prey on unsuspecting students. In a recent attack uncovered by Abnormal, a credential phishing attacker impersonated the university support team to steal student credentials.

About the Credential Phishing Attack

Summary of Attack

  • Target: University Students

  • Platform: Outlook 365

  • Bypassed Secure Email Gateway: Yes

  • Payload: Phishing Link

  • Technique: Spoofed Internal Account

In this attack, cybercriminals attempted to spoof, or forge authentication, of a university support team email. Lucky for them, the secure email gateway (SEG) the university uses experienced an error in verifying sender credentials and allowed the malicious actor to pose as the support team in a way that is almost undetectable.

The attacker did this by including a subject line that contains what appears to be a benign password expiration notification coming from a legitimate university support team email domain. The body of the email contains a message stating that the password for the email account will expire later in the evening, a button which is connected to a link, and an urgent note stating that email may not be delivered if the account password is not verified. Finally, the footer contains the name of the distributing organization on campus: the IT support team.

university support email phishing attempt

After clicking on the link, recipients are directed to a simple web page containing a login prompt where the username is already filled in, a tactic typically used by attackers. The prompt contains the university name and logo and the name of a well-known security brand, Norton.

While this does not necessarily look like a Microsoft login page, the attackers are likely betting on the fact that students either may not know the difference, or may be too distracted to pay attention to these details.

University support fake signin page

After inputting the password to the email address, the user is informed that the password is invalid. However, behind the scenes, the password is collected by the attacker and will then be used later to access the compromised student account.

University support password invalid message

This attack appears to be basic in nature, but it is incredibly effective. Starting with the initial email, the malicious actor made a very convincing display of legitimacy. The use of the ‘Support Team’ name, the placement of the university name and logo, the inclusion of a well-known security brand, and the urgency in verifying the credentials all leads the student to take immediate action in order to avoid being locked out of his or her account.

With thousands of students needing access to email in order to complete their schoolwork, there is little doubt that a number of them could fall for this attack. And once the malicious actor has access to those passwords, there is little telling what additional damage could be done from within the accounts themselves. In fact, the attacker could use those credentials to access a number of university applications, programs, and personal information.

Why the Credential Phishing Attack Bypassed the SEG

This attack was successful in bypassing a popular secure email gateway used by the university. To do so, the attacker first sent identifying information of the university support team email to the university network servers from a location outside the university in an attempt to fool the server into thinking that the attacker was the legitimate owner of the compromised account. This act of forging authentication is known as spoofing.

Spoofing is typically detectable by secure email gateways, which identify and verify authentication information from senders. However, due to the extra steps taken by the attackers, the email bypassed the SEG, which grabbed the wrong credentials for means of authentication and allowed the email to be sent to recipients. This is typical of modern-day gateawys and stands as a testament to the importance of API solutions like Abnormal Security.

Despite the failure of the SEG, Abnormal Security was able to detect the attack at multiple levels, including the potentially spoofed sender email, and prevent the recipient from falling victim to the credential theft campaign.

University support phishing attempt Abnormal analysis

Even though this attack was observed at this particular university, there is nothing stopping attackers from branching out into other vulnerable locations where unsuspecting students, faculty, and auxiliary systems could become potential victims. It is critically important to be aware of the errors that come with SEGs and be prepared to employ innovative API technology in preventing these attacks—a critical change that could help students and faculty alike.

To learn more about how Abnormal stops this attack and those like it,request a demo of the platform today.

Attackers Pose as University Support Team to Target Students

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Sans Recap 7 11 24
Discover trends among modern SOC teams, including misaligned budgets, increased automation, unsatisfactory AI tools, staffing issues, and more.
Read More
B State and Local Government Attack Trends
Advanced attacks targeting state and local governments are increasing. Discover what our research revealed about this alarming trend.
Read More
B Examining Employee Engagement with Email Attacks
Cybercriminals know that humans are your enterprise's biggest vulnerability and are successfully engaging with your employees at an alarming rate.
Read More
Explore how Abnormal’s AI Security Mailbox enhances cybersecurity by engaging and educating employees with personalized GenAI responses. Improve security awareness and streamline operations.
Read More
B Q2 2024 Attacks
In the second installment of our quarterly look-back at malicious emails, we examine 5 more recent noteworthy attacks detected and stopped by Abnormal.
Read More