Cyber Incident Victim: University of Texas at Austin
Date:
Oct 2020
Location:
United States of America
Summary
Cybercriminals compromised email accounts at multiple universities to distribute phishing emails and malware, bypassing email authentication protocols like SPF and DMARC. Attackers hijacked legitimate accounts—potentially through credential harvesting or poor password management—and sent fraudulent messages appearing as system alerts or missed calls, directing victims to credential-harvesting sites or malicious attachments. One campaign exploited a misconfigured SMTP server at an institution to relay phishing emails, while others leveraged trusted domains to evade security filters. The surge in remote learning during the pandemic correlated with increased account takeovers and targeting of academic institutions, enabling threat actors to exploit compromised credentials for broader attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between January and September 2020, cybercriminals compromised legitimate email accounts belonging to students, faculty, and staff at multiple universities, including Purdue University, the University of Oxford, and Stanford University. Attackers gained unauthorized access to these accounts through suspected credential harvesting schemes, potentially exploiting weak password practices such as failure to change default credentials, password sharing, or failure to revoke temporary access after project completion. Once compromised, attackers altered account passwords to maintain persistent control. These hijacked accounts were then used to send phishing emails directly from university email servers, allowing malicious messages to bypass Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) email authentication protocols. The abuse of legitimate university domains enabled attackers to circumvent standard email security filters at recipient organizations.
Researchers observed at least 13 universities targeted in these campaigns, with Purdue University accounts generating the highest volume of malicious emails (2,068 detected phishing messages). Attackers deployed multiple phishing lures through compromised accounts, including fabricated Microsoft system alerts from Stanford accounts directing victims to credential-harvesting pages disguised as Outlook login portals. Other campaigns used Oxford and Purdue accounts to send emails claiming recipients had missed calls, with malicious attachments posing as voicemail recordings. An additional attack vector exploited a misconfigured SMTP server at the University of Oxford, which attackers used as an open mail relay to send authenticated phishing emails that passed both SPF and DMARC checks. The COVID-19 pandemic coincided with an increase in account hijackings and expanded targeting of educational institutions, as remote learning expanded attack surfaces. While researchers from INKY detected ongoing compromises throughout 2020, the articles did not specify remediation actions taken by the affected universities beyond identifying the SMTP configuration vulnerability at Oxford.