Cyber Incident Victim: Purdue University
Date:
Jan 2019
Location:
United States of America
Summary
Attackers compromised email accounts at multiple universities, including Purdue, to distribute phishing messages and malware by exploiting legitimate institutional domains, bypassing email authentication protocols like SPF and DMARC. The university experienced significant phishing volume, with hijacked accounts sending fraudulent emails impersonating trusted entities such as Microsoft to steal credentials or deliver malicious code. Attackers leveraged misconfigured servers at some institutions to relay phishing emails that passed authentication checks. Compromised accounts were attributed to poor password practices, including reused or shared credentials. The campaign expanded during pandemic-related remote learning, targeting additional educational institutions for credential harvesting and malware distribution.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Cybercriminals compromised legitimate email accounts at Purdue University and other academic institutions beginning in summer 2019, using these accounts to distribute phishing emails and malware while evading standard email authentication protocols. Attackers gained control of accounts through suspected credential harvesting or exploitation of poor password security practices, such as failure to change default passwords, password sharing, or retained access after project collaborations ended. Once compromised, attackers altered account passwords to maintain persistent access. Between January and September 2020 alone, researchers detected 2,068 malicious emails originating from hijacked Purdue accounts—the highest volume among 13 affected universities. Attackers leveraged the legitimacy of university domains to bypass Sender Policy Framework (SPF) filters, as recipient organizations often trusted emails originating from recognized educational servers. One campaign spoofed Microsoft system notifications, directing recipients from a legitimate Stanford account to credential-harvesting pages or malware download sites. Another variant used compromised Oxford and Purdue accounts to send fake voicemail notifications with malicious attachments.
The campaign expanded during COVID-19 remote learning transitions, with increased account hijackings observed throughout 2020. Attackers exploited the trusted status of academic domains to enhance phishing credibility, as recipient verification of sender addresses often confirmed legitimate university affiliations. While specific containment measures for Purdue were not disclosed, researchers highlighted configuration vulnerabilities—such as Oxford’s misconfigured SMTP server allowing unauthorized relay of phishing emails—as critical attack vectors across institutions. Impacts included credential theft, malware infections, and persistent unauthorized access to compromised accounts, with some remaining active months after initial detection. The broader education sector faced parallel threats, including Iran-linked TA407 spear-phishing campaigns targeting academic credentials since 2019. No confirmed attribution or specific financial losses from the Purdue incident were documented in available sources.