The cybercriminal interest in hijacking university email domains is one of cybersecurity’s worst kept secrets and yet it’s become a problem that only seems to generate more bad news.
University domains and their email addresses are useful for all sorts of reasons, but a recurring theme in recent times has been the help they provide in sneaking phishing attacks through corporate email gateways.
It’s a simple principle. Business email servers perform reputation checks on incoming email, rejecting any from suspect or unknown domains. The answer, then, is to hijack domains that have a good reputation. As a bonus, it’s likely that the legitimate return address could make recipients more likely to be taken in by the phish.
New figures from email security company INKY shed some light on this tactic and the prestigious domains being abused to launch attacks.
In varying periods of months during 2020, the company filtered 714 phishing emails coming from Oxford University domains, 287 from Stanford University, and 2,068 from Purdue University in Indiana.
Many other US university domain phishing emails were snagged in its traps with dozens to hundreds of detections from institutions including Hunter College, the University of Buffalo, the University of New Mexico, the University of Chicago, the University of Texas, Worcester Polytechnic Institute, Louisiana State University, the University of California, Davis, the University of Utah, and University of California, LA.
Considering that vast number of emails originating from these domains on any day, these numbers are vanishingly tiny. Against that comforting thought, however, is that this is only one provider protecting a relatively small number of corporate clients, which implies those emails are probably the tip of an unseen iceberg.
“From there, it’s a short hop with a booby-trapped malicious email into the unsuspecting commercial organization, where the phished recipient who clicked on the poisoned link or clever redirect has their login credentials harvested and used against the organization for further mayhem,” wrote Inky.
In one example, the phishing lure was a Microsoft 365 message inviting the recipient to access quarantined files. This phishing attempt was caught – the Microsoft theme of the phishing was too obvious - but had it got past security it might have looked perfectly plausible to an unwary eye.
A quick look at email headers confirmed that this was the result of an account takeover, a clue to the engineering of account takeover attacks. Attackers must still generate the phishing email from their location, getting the university sever to forward it as one of their own. In this, they are aided by being able to use university servers as relays.