Cyber Incident Victim: University at Buffalo
Date:
Oct 2020
Location:
United States of America
Summary
Cybercriminals hijacked legitimate email accounts from over a dozen universities, including Purdue, Oxford, and Stanford, to bypass detection and trick victims into handing over their email credentials or installing malware. The attackers used the compromised accounts to send phishing emails that appeared to come from the universities, exploiting weaknesses in email authentication protocols. The incident highlights the vulnerability of higher education institutions to cyberattacks and the need for improved email security measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between January and September 2020, cybercriminals compromised legitimate email accounts belonging to students, faculty, or staff at over 13 universities, including Purdue University, University of Oxford, Stanford University, Hunter College, and Worcester Polytechnic Institute. Attackers gained unauthorized access through suspected credential harvesting or exploitation of weak password practices, such as failure to change default passwords or shared credentials remaining active after project collaborations. Once compromised, threat actors altered account passwords to lock out legitimate owners and initiated phishing campaigns directly from university email servers. These emails leveraged the trusted domain reputation of academic institutions to bypass Sender Policy Framework (SPF) filters, as recipient organizations often permitted communications from university domains. One campaign spoofed Microsoft system messages regarding quarantined emails, directing recipients from a legitimate Stanford account to credential-harvesting pages mimicking Outlook login portals. Another attack vector involved emails from Oxford and Purdue accounts falsely notifying recipients of missed calls, with malicious attachments disguised as voicemail recordings. Researchers observed 2,068 malicious emails originating from Purdue accounts, followed by 714 from Oxford, 709 from Hunter College, and 393 from Worcester Polytechnic Institute between January and September 2020.
The attacks exploited institutional infrastructure vulnerabilities, including an improperly configured SMTP server at Oxford that functioned as an open mail relay. This misconfiguration allowed attackers to send phishing emails that passed both SPF and DMARC authentication checks for Oxford domains by routing messages through university servers. Compromised accounts facilitated malware distribution and credential theft, with fraudulent emails displaying legitimate sender addresses linked to verifiable university profiles. Researchers from INKY detected sustained campaign activity through October 2020, noting increased account hijackings during COVID-19 pandemic lockdowns as universities shifted to remote operations. The broader higher education sector faced parallel threats, including Iran-linked Silent Librarian spear-phishing operations targeting academic credentials since 2019. No specific containment measures or remediation actions by the affected universities were detailed in available reports, though researchers emphasized the necessity of securing SMTP servers against unauthorized relay use and enforcing stricter authentication protocols to prevent open relay abuse.