Students targeted with university-themed phishing emails

(Image credit: Shutterstock / DRogatnev)

A new phishing campaign has been discovered that looks to impersonate communications from universities. Like many other phishing attacks, the scam aimed to trick individuals into handing over their Office 365 credentials.

Cloud-based email security firm Zix discovered the attack back in October, after identifying suspicious activity coming from legitimate university .EDU servers. Threat actors would sometimes impersonate a university’s IT department, asking targets to take action if they wanted to keep their Office 365 password the same before a fictitious expiry deadline passed.

Potential phishing victims were then redirected to a domain that asked visitors to authenticate themselves by entering their Office 365 usernames and passwords – unwittingly handing them over to the attacker. A similar technique was employed in order to steal Outlook credentials.

Keep your devices virus-free with the best malware removal software
And here's our round of the best ransomware protection tools
We've also put together a list of the best antivirus software available

Phishing season

The AppRiver team at Zix identified this phishing campaign as particularly noteworthy for the way that it bypassed a number of sender verification checks, including Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC).

Although corporate phishing campaigns attract much of the attention, scams targeting the education sector are not uncommon. In October, Malwarebytes highlighted another phishing attack that was directing efforts against universities and schools.

More generally, phishing campaigns seemed to have thrived this year, with threat actors taking advantage of the confusion and misinformation that has surrounded the coronavirus pandemic. Zix has recommended that organizations, whether in the corporate or education sector, become better prepared for the many phishing threats circulating today. In addition to investing in a robust email security solution, organizations should also train their staff to remain vigilant against suspicious emails.

We've highlighted the best email services on the market

Via Zix

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services. After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.