It has been reported that cybercriminals are hijacking legitimate email accounts from more than a dozen universities – including Oxford University, Purdue University, and Stanford University – and using the accounts to bypass detection and trick victims into handing over their email credentials or installing malware. Researchers said in 2020 so far they have discovered a number of malicious campaigns using compromised emails from at least 13 different universities. The highest number of phishing emails detected came from compromised Purdue University accounts (2,068), stolen in campaigns from Jan. to Sept. Behind Purdue University was Oxford (714 phishing emails detected), Hunter College (709), and Worcester Polytechnic Institute (393).
Threat actors have utilized these legitimate emails for different types of attacks. In one, victims received a message from a Stanford University account purporting to be a Microsoft “system message,” which tells users about the status of some quarantined messages. The email offered various links to view the quarantined messages, which, once clicked on, led to a Microsoft Outlook credential-harvesting site or would initiate a malicious code infection. An easy red flag here is that the sender’s email address is a legitimate university account — yet the email purports to come from Microsoft, researchers said.
Synonymous with this attack theme, our filters are continuously capturing quarantined email reports imitating many different legitimate filtering services. Advanced threat actors are keen to ensure deliverability to recipient inboxes. Whenever possible, they will leverage stolen credentials that pass sender verification checks with no additional work on their part such as SPF, DKIM, & DMARC. This makes their campaigns that much more successful. We find most threat actors worth their salt will either abuse legitimate services, setup sender verification correctly on their own domains, or just not use sender verification at all.
These actors are aware that a university or government domain can’t simply be blacklisted due to the legitimate traffic originating from it. In addition to universities, we’ve also seen a variety of government email accounts and websites compromised in an attempt to add the look of legitimacy to their attacks. Universities and government accounts are typically held to a higher standard since they have dedicated and highly-skilled IT teams to combat threats and abuse. This results resulting in less abuse originating from their platforms compared to other sectors. In respect to government accounts, these also might add more “stature and respect” from the viewpoint of the recipient. Depending on the government account, some recipients may even believe they need to comply with the threat actors directions, otherwise, they may fear criminal or civil penalties for non-compliance.
\”We expect this trend to continue as stolen accounts of these varieties are always in demand and typically command a higher price for threat actors on dark web forums where they are traded and sold.\”