Cyber Incident Victim: Enercon

On December 1, 2022, a phishing attack compromised credentials from Office 365 accounts at nine schools in Nuremberg, Germany. Attackers obtained usernames and passwords belonging to 16 teacher and student accounts, subsequently offering them for sale on darknet markets. The compromised system provided access to Microsoft Teams for internal communication and videoconferencing, along with productivity applications like Word and Excel and associated cloud storage. As a precautionary containment measure, authorities disabled nearly 10,000 accounts across the affected institutions—Realschulen, Berufsschulen, and Gymnasien—to prevent potential lateral movement by threat actors. Notification procedures were activated, alerting school administrators, the State School Office, and Ministerial representatives at the Government of Middle Franconia. The municipal administration confirmed its systems remained unaffected due to network segregation between city infrastructure and school IT environments.

Security teams conducted forensic analysis throughout the weekend following the incident, systematically reviewing account activity to identify compromised credentials. By December 12, investigators had cleared most accounts as uncompromised, enabling reactivation of services to restore normal academic operations. Eleven schools were ultimately confirmed as impacted, with additional accounts remaining under scrutiny. The response included mandatory password resets enforcing 12-character complexity requirements for all Office 365 accounts to reduce credential reuse risks. Authorities emphasized the incident originated from credential phishing rather than direct system intrusion, with detection occurring during routine security monitoring rather than external breach notifications. Operational impacts included temporary loss of access to collaboration tools and productivity software until account reinstatement and credential updates were completed.