Cyber Incident Victim: University of New Mexico
Date:
Oct 2020
Location:
United States of America
Summary
Cybercriminals compromised legitimate email accounts at multiple universities to bypass email authentication protocols and distribute phishing lures and malware. Attackers exploited poorly secured credentials and misconfigured SMTP servers to send fraudulent messages appearing as system alerts or missed-call notifications, redirecting victims to credential-harvesting sites or malicious downloads. The hijacked accounts enabled threat actors to circumvent SPF and DMARC protections by leveraging trusted university domains, with some campaigns abusing open mail relays to distribute authenticated phishing emails. These attacks targeted educational institutions during increased remote operations, facilitating credential theft and malware infections through socially engineered messages.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between January and September 2020, cybercriminals compromised legitimate email accounts belonging to students, faculty, and staff at multiple universities, including Purdue University, University of Oxford, Hunter College, Worcester Polytechnic Institute, and Stanford University. Attackers gained unauthorized access through credential harvesting schemes, exploiting weak password practices such as password reuse, failure to update default credentials, and improper sharing of account credentials for academic projects. After compromising accounts, threat actors changed passwords to lock out legitimate owners and initiated phishing campaigns directly from university email servers. Researchers observed over 2,000 malicious emails originating from Purdue University accounts alone, with hundreds more traced to Oxford (714), Hunter College (709), and Worcester Polytechnic Institute (393). The attacks leveraged the trusted reputation of academic domains to bypass standard email security protocols.
Compromised accounts facilitated diverse attack vectors. One campaign impersonated Microsoft system messages from Stanford University accounts, directing recipients to credential-harvesting pages disguised as quarantine notification portals. These emails passed Sender Policy Framework (SPF) checks because they originated from Stanford’s authenticated servers, exploiting recipient organizations’ policies that trusted emails from .edu domains. Attackers also sent fraudulent voicemail notifications with malicious attachments from legitimate Oxford and Purdue accounts. At Oxford, attackers exploited a misconfigured SMTP server that functioned as an open mail relay, enabling unauthorized sending of phishing emails that bypassed both SPF and DMARC validation. The pandemic-driven shift to remote education correlated with increased account hijackings, though researchers confirmed these attacks predated COVID-19, with initial detection in summer 2019. No specific containment measures or victim remediation efforts were detailed in available reports, though researchers emphasized ongoing compromises throughout 2020. Higher education institutions faced additional threats during this period, including Iran-linked spear-phishing campaigns targeting academic credentials, though these activities were unrelated to the email hijacking incidents.