Cyber Incident Victim: Hunter College
Date:
Oct 2020
Location:
United States of America
Summary
Attackers compromised legitimate email accounts at multiple universities, including Hunter College, to distribute phishing emails and malware while evading email authentication protocols like SPF and DMARC. The hijacked accounts sent fraudulent messages appearing as system alerts or missed-call notifications, directing victims to credential-harvesting sites or malicious attachments. Compromised credentials potentially stemmed from weak password practices, shared access, or misconfigured servers enabling unauthorized relay. The incident leveraged trusted academic domains to bypass security filters, exploiting institutional trust relationships to target external recipients. Pandemic-related remote learning expansions correlated with increased account takeovers across educational institutions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In 2020, cybercriminals hijacked legitimate email accounts from over a dozen universities, including Hunter College, to distribute phishing emails and malware. Between January and September 2020, researchers detected 709 malicious emails originating from compromised Hunter College accounts, ranking it third among affected institutions behind Purdue University and the University of Oxford. Attackers gained control of university email credentials through suspected credential-harvesting schemes, potentially exploiting weak password practices such as failure to change default credentials or sharing passwords among students and faculty. Once compromised, threat actors altered account passwords to maintain persistent access. These hijacked accounts were used to send fraudulent messages appearing to originate from trusted university domains, enabling them to bypass SPF email authentication protocols. One campaign involved emails impersonating Microsoft system notifications about quarantined messages, containing links to credential-harvesting sites or malware downloads. The legitimate university domain in the email headers allowed these messages to pass SPF checks at recipient organizations.
The attacks exploited institutional trust relationships, as recipient organizations often permitted email traffic from university domains. Researchers observed that compromised accounts remained active in October 2020, indicating ongoing unauthorized access. While specific configuration vulnerabilities were documented at other institutions—such as Oxford’s misconfigured SMTP server enabling open mail relay attacks—no equivalent technical detail was provided regarding Hunter College’s infrastructure. The campaign impacted recipients through credential theft and malware infections, with attackers leveraging pandemic-related remote learning shifts that increased reliance on digital communication. Higher education institutions faced additional threats during this period, including separate Iranian state-aligned phishing campaigns, though no direct connection to the Hunter College incident was established. Researchers emphasized that compromised accounts could send emails passing both SPF and DMARC validation, making detection more challenging for recipients. No specific containment measures or institutional responses from Hunter College were detailed in available reporting.