Email Security Blog

A Lesson in Phishing: University Account Takeover

The Academy as Attack Vector

We live in a time when academic achievement isn’t celebrated as much as it once was, but many people still think of universities as repositories of objective analysis, intellectual rigor, and moral rectitude. On a professional level, many companies trust academic sources, particularly if they're already doing business with them. Thus, many corporate secure email servers are set to allow in messages from university domains. If Raytheon hires the occasional MIT professor to work on a project, Raytheon’s email security measures are happy to see messages coming from And therein lies the rub.

Because of corporate email servers' tendency to trust email coming from universities, this avenue has turned into an attack vector of choice for evil hackers, who take over badly guarded university email accounts and use them against corporate targets. Most legacy email security gateways do nothing to stop this type of attack. INKY, however, sees the discrepancy between where the email purports to come from (e.g., Microsoft) and where it actually comes from (e.g., the University of Oxford), flagging the phishing assault for both IT and the user.

Hijacked University Accounts

Cybercriminals can get at the corporate digital gold mine through perfectly legitimate university accounts. The legacy Secure Email Gateways, also known as SEGs, let them in because their credentials are impeccable: their emails really do originate from a known — perhaps even honorable — academic institution. But given the yearly comings and goings at universities, academics' email accounts are subject to takeover. A student may never change an originally assigned password, or may share it with a friend or friends. A professor may give a student the password to an account for a particular project and never change it when the project is done. Hackers tapping around find these carelessly handled accounts, take them over, and change the passwords themselves, locking out the original owner.

From there, it’s a short hop with a booby-trapped malicious email into the unsuspecting commercial organization, where the phished recipient who clicked on the poisoned link or clever redirect has their login credentials harvested and used against the organization for further mayhem.

INKY REPORT - Hijacked University AccountsThis year INKY detected and stopped thousands of phishing emails that originated from multiple university accounts and email servers. These phishing attacks evaded detection by legacy Secure Email Gateways (SEGs) because they came from real accounts and domains, which passed SPF email authentication and other reputation checks.

Institutions caught up in these phishing scams included Purdue University; University of Oxford; Stanford University; Hunter College; University at Buffalo; University of New Mexico; University of Chicago; University of Texas; Worcester Polytechnic Institute; Louisiana State University; University of California, Davis; University of Utah; and University of California, Los Angeles.

The Wild West

The black hats are clever and always shape-shifting to regain access to corporate email servers when they are discovered and locked out. For now, the university account takeover is working much of the time. INKY, among all white hats, is the most advanced email security solution in detecting and defeating this attack vector.

To learn more about university account takeovers, download and read our INKY Report, entitled Hijacked University Accounts. To explore what INKY could do for your organization, whether it involves account takeovers or the myriad of other phishing threats disrupting business today, sign up for a free demonstration.


INKY® is the emerging hero in the war against phishing. An award-winning cloud-based email security solution, INKY® prevents the most complex phishing threats from disrupting or even immobilizing your company’s day-to-day business operations. Using computer vision, artificial intelligence, and machine learning, INKY® is the smartest investment you can make in the security of your organization. INKY® is a proud winner of the NYCx Cybersecurity Moonshot Challenge and finalist in the 2020 RSAC Innovation Sandbox Competition. Learn more about INKY® or request an online demonstration today.