University Cyber-Attack - Anatomy of a Phish

University Cyber-Attack - Anatomy of a Phish

The Cyber threat against the University is ever present.

A sharp reminder of this fact raised its head recently in the form of a successful attack on a University staff member’s IT account.

This article describes the sophisticated nature of the attack, how it used both technical and social engineering techniques, and provides advice on how you can help prevent your account from being compromised.

Phishing and Social Engineering

Like most Cyber-attacks, this one began with the receipt of a phishing email.

This email came from a genuine account of a staff member at another University, who was also a recent contact of the victim. However, the sender’s account had already been compromised.

The email subject was intentionally vague, which encourages the recipient to investigate further.

It displayed the sender University’s logo, followed by an embedded pdf attachment. Below this was the complete and correct footer usually included in the senders’ emails.

All of these factors, coupled with the fact the sender had genuine previous contact with the victim made this email appear trustworthy at first glance.

However, the pdf attachment was in fact an image link, which pointed to a document hosted on a public SharePoint site. Once clicked, the user was redirected to a fake login page, designed to mimic the University’s email login. Once credentials were entered here, the attacker was able to capture the victim’s current username and password.

Multi Factor Authentication Fatigue

Thanks to the University’s implementation of Multi Factor Authentication, the username and password alone are not enough to breach an account.

However, in this case the attackers used a method known as MFA Fatigue. This is the practice of sending multiple authentication requests in quick succession, in the hope that the account owner will verify one, either by mistake or out of frustration. In this case, and due to several circumstances, one of these requests was accepted.

Attacker Objectives

Once inside the account the attackers were able to complete the following actions within a few minutes:

  • Created an inbox rule to delete any incoming email. This is a tactic used to avoid detection by hiding any responses advising the victim their account is compromised, as well as any automated email delivery failure notices.
  • Searched the mailbox for email addresses of previous contacts.
  • Sent a large number of similar phishing emails out to previous contacts, many of whom were University colleagues.

The entire sequence of events was fully automated. The goal of this attack was to spread quickly and harvest as many sets of valid credentials as possible. As a result, this attack impacted several Scottish Universities.

Valid account credentials are valuable because they can be resold on the dark web. These can be purchased by attackers who may have more malicious intent.

If left undetected this compromised account could have led to a far more serious breach, ranging from theft of data to a ransomware attack.


Thanks to the staff member reporting this as quickly as possible, the Information Security team were able to quickly contain this attack, stop any additional accounts becoming compromised, and prevent this from developing into a more serious situation.

How you can help prevent an attack: 

  • Use the official Microsoft Authenticator App for MFA:
    • Several 2nd factor authentication methods are available, including phone call and SMS message codes. However, using the official Microsoft Authenticator app affords greater protection by providing detailed information on the person attempting to access your account, including location. This allows account owners to verify or deny login attempts with greater confidence.
    • It also provides number matching, which requires you to enter a number displayed on the login screen into the application. This helps to prevent attackers using MFA fatigue.
    • Never accept an unexpected MFA prompt. 
  • Be cautious:
    • Be cautious of any unexpected emails, even if they are from colleagues or other previous contacts. Be particularly wary if the sender tries to create a sense of urgency or imply negative consequences for ignoring the message. 
  • Report any suspected compromise immediately:
    • This will help us prevent the situation escalating further.

For further guidance, see our previous news bulletins on Phishing, Social Engineering, Malware, and Passwords.