Cyber Incident Victim: Louisiana State University Agricultural Center
Date:
Oct 2020
Location:
United States of America
Summary
Cybercriminals hijacked legitimate email accounts at multiple universities to distribute phishing messages and malware, bypassing email authentication protocols like SPF and DMARC. Attackers exploited compromised accounts—gained through weak credentials or shared passwords—to impersonate trusted entities, directing victims to credential-harvesting sites or malicious attachments disguised as system alerts or voicemails. Misconfigured SMTP servers at some institutions enabled further abuse, allowing phishing emails to pass security filters. The campaign leveraged the shift to remote learning during the pandemic, expanding its reach across academic targets to steal login credentials and deliver malware infections.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In 2020, cybercriminals compromised legitimate email accounts at multiple universities, including Purdue University, the University of Oxford, Stanford University, Hunter College, and Worcester Polytechnic Institute, to launch phishing and malware campaigns. Attackers gained control of accounts through suspected credential harvesting, exploiting weak password practices such as unchanged default credentials, password sharing, or failure to revoke temporary access. Between January and September 2020, researchers observed over 2,000 malicious emails from compromised Purdue accounts, followed by 714 from Oxford, 709 from Hunter College, and 393 from Worcester Polytechnic Institute. The hijacked accounts allowed threat actors to bypass email authentication protocols like Sender Policy Framework (SPF) and DMARC, as messages originated directly from university servers. One campaign impersonated Microsoft "system messages" from a Stanford account, directing recipients to credential-harvesting pages or malware downloads. Attackers leveraged the universities’ domain reputations to evade filters, with recipient organizations often trusting emails from these domains.
Researchers identified multiple attack vectors, including emails from Oxford and Purdue accounts falsely notifying recipients of missed calls with malicious voicemail attachments. A misconfigured SMTP server at Oxford enabled attackers to abuse it as an open mail relay, automatically generating phishing emails that passed SPF and DMARC checks. This configuration flaw allowed unauthorized email forwarding from non-local IP addresses. The COVID-19 pandemic exacerbated the issue, with remote learning correlating to increased account hijackings and expanded targeting of educational institutions. While no specific containment actions by the affected universities were detailed, researchers emphasized the necessity of securing SMTP servers against relay abuse and enforcing stricter password policies. Concurrently, the higher-education sector faced unrelated threats like the Iranian-linked "Silent Librarian" spear-phishing campaigns, though these were distinct from the broader email hijacking incidents.