Cyber Incident Victim: University of Oxford
Date:
Jun 2019
Location:
United Kingdom
Summary
Attackers compromised legitimate email accounts at the University of Oxford and other academic institutions, exploiting them to distribute phishing emails and malware while evading email authentication protocols. The attackers leveraged an improperly configured SMTP server at Oxford to send malicious emails that bypassed SPF and DMARC protections by appearing to originate from university servers. These emails impersonated trusted entities like Microsoft or delivered voicemail-themed lures, redirecting victims to credential-harvesting sites or malware downloads. The campaign exploited weak account security practices, including reused or shared passwords, and expanded during pandemic-related remote learning shifts. Multiple universities were affected, with Oxford among the most heavily targeted institutions based on detected phishing volume.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In 2019, attackers began compromising legitimate email accounts at multiple universities, including the University of Oxford, to distribute phishing emails and malware while evading standard email authentication protocols. Researchers observed these hijacked accounts being used to send fraudulent messages impersonating trusted entities like Microsoft, often directing recipients to credential-harvesting pages or malicious attachments. At Oxford, attackers exploited an improperly configured Simple Mail Transfer Protocol (SMTP) server, enabling them to send phishing emails that passed both Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) checks. This misconfiguration allowed Oxford’s servers to function as an open mail relay, accepting and forwarding emails from unauthorized external IP addresses to non-local mailboxes. Between January and September 2020, researchers documented 714 malicious emails originating from compromised Oxford accounts, the second-highest volume among the 13 affected universities. Attackers also sent messages from Oxford accounts falsely notifying recipients of "missed calls," with malicious voicemail attachments.
The campaign leveraged credentials potentially obtained through credential-harvesting schemes or poor password hygiene, such as unchanged default passwords or shared credentials among students and faculty. While the exact initial compromise vector for Oxford accounts remained unconfirmed, researchers noted attackers changed account passwords post-compromise to lock out legitimate users. The use of authentic university domains allowed phishing emails to bypass organizational email filters, as recipient systems often trusted communications from .edu servers. This abuse of trusted domains increased the effectiveness of attacks targeting both academic and external recipients. The incident formed part of a broader trend targeting higher education institutions, with attack volumes rising during COVID-19 pandemic lockdowns. Threatpost contacted Oxford for comment, but no institutional response or remediation details were disclosed in the available reporting. Researchers emphasized the necessity of proper SMTP server configuration to prevent open relay abuse.