Cyber Incident Victim: Worcester Polytechnic Institute
Date:
Jan 2019
Location:
United States of America
Summary
Cybercriminals compromised legitimate email accounts at Worcester Polytechnic Institute and over a dozen other universities, exploiting them to distribute phishing emails and malware while evading email authentication protocols like SPF and DMARC. Attackers hijacked poorly secured accounts—often due to weak passwords or shared credentials—to send fraudulent messages appearing as trusted institutional communications, including fake Microsoft system alerts and voicemail notifications that redirected victims to credential-harvesting sites or malicious downloads. The use of compromised university domains allowed threat actors to bypass security filters, leveraging institutional reputations to increase attack credibility. These campaigns, which intensified during pandemic-related remote learning, facilitated credential theft and malware infections across targeted academic communities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between January and September 2020, threat actors compromised legitimate email accounts at Worcester Polytechnic Institute (WPI) and over a dozen other universities, including Purdue University and the University of Oxford. Attackers hijacked 393 WPI email accounts to distribute phishing emails and malware campaigns. Researchers attributed the initial account compromises to poor credential hygiene, such as failure to change default passwords, password sharing among students and faculty, or failure to revoke temporary access after project collaborations. Once compromised, attackers altered account passwords to maintain persistent access. The hijacked accounts sent emails appearing legitimate due to originating from authentic university domains, enabling them to bypass Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) email authentication protocols.
These attacks leveraged university infrastructure to target external victims. One campaign spoofed Microsoft system messages directing recipients to credential-harvesting pages disguised as quarantine notification links. Another used voicemail-themed lures with malicious attachments. Researchers confirmed attackers exploited misconfigured SMTP servers at some institutions, including Oxford, which allowed unauthorized email relaying. While WPI’s specific server configurations weren’t detailed, the broader campaign demonstrated how compromised academic accounts could evade security filters. The COVID-19 pandemic correlated with increased attack volumes, with hijacked accounts rising during 2020 lockdowns as universities shifted to remote operations. No specific containment measures by WPI were disclosed, though researchers emphasized the necessity of securing SMTP servers against open relay abuse and enforcing multi-factor authentication. The incident exposed credential theft risks and malware propagation through trusted academic channels, impacting institutional credibility and recipient security.