Cyber Incident Victim: University of Utah
Date:
Oct 2020
Location:
United States of America
Summary
Attackers hijacked legitimate university email accounts to distribute phishing emails and malware, exploiting compromised credentials likely obtained through poor password practices or credential harvesting. The hijacked accounts bypassed email authentication protocols like SPF and DMARC, enabling fraudulent messages—including fake Microsoft alerts and voicemail lures—to appear legitimate by originating from trusted academic servers. One institution's misconfigured SMTP server allowed attackers to relay phishing emails that passed security checks. The campaign leveraged trusted academic domains to steal credentials and deliver malware, capitalizing on remote learning shifts to target multiple educational entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In 2020, cybercriminals compromised legitimate email accounts at multiple universities, including Purdue University, the University of Oxford, and Stanford University, to launch phishing and malware campaigns. The attacks, detected between January and September 2020, involved credential harvesting and account takeovers facilitated by weak password practices, such as students failing to change default passwords or professors sharing credentials for collaborative projects. Attackers altered compromised account passwords, locking out legitimate users, and leveraged the hijacked accounts to send emails that bypassed Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocols. These emails appeared authentic because they originated from university servers, exploiting trust in institutional domains. Researchers identified over 3,000 malicious emails from compromised accounts at 13 universities, with Purdue University accounting for 2,068 phishing emails, followed by Oxford (714), Hunter College (709), and Worcester Polytechnic Institute (393). Attackers tailored lures to appear credible, such as impersonating Microsoft system alerts or missed call notifications.
The campaigns had multiple impacts, including credential theft and malware distribution. One attack used a Stanford University account to send emails falsely labeled as Microsoft system messages, directing recipients to fake Outlook login pages or malware-infected sites. Oxford University faced additional risks due to a misconfigured SMTP server, which attackers exploited as an open relay to send phishing emails that passed SPF and DMARC checks. This configuration flaw allowed unauthorized emails to be sent from non-local IP addresses without authentication. While the article did not specify remediation steps taken by the universities, researchers emphasized the need to secure SMTP servers against relay abuse. The broader higher-education sector faced parallel threats, including Iranian state-linked group TA407’s "Silent Librarian" spear-phishing campaigns. The shift to remote learning during the COVID-19 pandemic correlated with increased account hijackings and expanded targeting of academic institutions, though the exact compromise vectors remained unconfirmed.