US universities targeted by Office 365 phishing attacks


US universities have been the target of several phishing attacks designed to impersonate college login portals in order to steal valuable Office 365 credentials.

Decoys used in the latest campaigns include the COVID-19 Delta and Omicron variants and various themes about their alleged impact on educational programs.

These campaigns would be carried out by multiple threat actors from October 2021, with Proofpoint sharing details of the tactics, techniques, and procedures (TTPs) used in phishing attacks.

Target American universities

The phishing attack begins with an email claiming to be information about the new Omicron variant, COVID-19 test results, additional testing requirements, or class changes.

These emails trick the recipient to click on an attached HTM file, which takes them to a cloned login page for their university’s login portal.

HTM attachment arriving with the phishing email
HTM attachment arriving with the phishing email
Source: proof

The examples published by Proofpoint look very convincing in terms of appearance, and the URLs use a similar naming pattern that includes the top-level domain .edu.

For example, a phishing attack targeting Arkansas State University students used a URL of sso2[.]a state[.]education[.]boring[.]cf.

Spoofed university page with a login section
Spoofed university page with a login section
Source: proof

Further examples of malicious domains configured to support the phishing campaign are given below:

  • sso[.]ucmo[.]education[.]boring[.]cf / Covid19 / authenticationedpoint.html
  • hfbc bible study[.]org / demo1 / includes / jah /[university]/ auth[.]php *
  • afr-tours[.]co[.]za / includes / css / js / edu / web / etc / login[.]php *
  • travel aid[.]com / css / js /[university]/ auth[.]php *

HTM attachments have been very successful in phishing lately, as they allow actors to smuggle malware and assemble it on the target device. In this case, however, the HTM contains a link to a credential theft site.

In some cases (marked with an asterisk), these destinations are legitimate WordPress sites that have been compromised to steal credentials, so no alarms will be triggered by internet security or privacy protection tools. -mails when the victim lands on it.

Based on the URLs shared by Proofpoint, some of the universities targeted by these attacks include the University of Central Missouri, Vanderbilt, Arkansas State University, Purdue, Auburn, the University of West Virginia and the ‘University of Wisconsin-Oshkosh.

Snacking Duo OTP

To bypass MFA (Multi-Factor Authentication) protection on targeted college login pages, threat actors also created landing pages that spoof a DUO MFA page, which is used to steal one-time access codes sent. to students and teachers.

After a victim enters their credentials on the spoofed login page, the victim is prompted to enter the code they received via text message on their phone so that the actors can snatch it and use it. directly to take over the account.

Duo MFA system spoofing
Duo MFA system spoofing
Source: proof

This step requires immediate action because OTPs have short expiration times.


Office 365 credentials can be used by malicious actors to access the corresponding email account, send messages to other workgroup users, divert payments, and pursue phishing to steal more valuable accounts.

Additionally, the actor can access and exfiltrate sensitive information stored in the account’s OneDrive and SharePoint folders.

These phishing attacks could potentially lead to damaging BEC incidents and highly disruptive ransomware infections for universities.

HTM files are opened in a browser, so technically you can never be 100% sure. Don’t be curious if you receive one as an attachment in an unsolicited email.

Just mark the message as spam and delete it.


About Author

Comments are closed.