Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

US Universities Targeted by Office 365 Phishing Attacks

US Universities Targeted by Office 365 Phishing Attacks

US universities are being targeted in multiple phishing attacks designed to impersonate college login portals to steal valuable Office 365 credentials.

The lures used in the latest campaigns include COVID-19 Delta and Omicron variants and various themes on how these allegedly impact the educational programs.

These campaigns are believed to be conducted by multiple threat actors starting in October 2021, with Proofpoint sharing details on the tactics, techniques, and procedures (TTPs) used in the phishing attacks.

Also Read: 5 Tips In Using Assessment Tools To A Successful Businesses

Targeting US universities

The phishing attack begins with an email that pretends to be information about the new Omicron variant, COVID-19 test results, additional testing requirements, or class changes.

These emails urge the recipient to click on an attached HTM file, which takes them to a cloned login page for their university’s login portal.

HTM attachment arriving with the phishing email
HTM attachment arriving with the phishing email
Source: Proofpoint

The samples published by Proofpoint look very convincing in terms of their appearance, and URLs use a similar naming pattern that includes the .edu top-level domain. 

For example, a phishing attack targeting students of Arkansas State University used an URL of sso2[.]astate[.]edu[.]boring[.]cf.

Spoofed university page with a login section
Spoofed university page with a login section
Source: Proofpoint

Other examples of malicious domains set up to support the phishing campaign are given below:

  • sso[.]ucmo[.]edu[.]boring[.]cf/Covid19/authenticationedpoint.html
  • hfbcbiblestudy[.]org/demo1/includes/jah/[university]/auth[.]php*
  • afr-tours[.]co[.]za/includes/css/js/edu/web/etc/login[.]php*
  • traveloaid[.]com/css/js/[university]/auth[.]php*

HTM attachments are having great success in phishing lately because they enable actors to smuggle malware and assemble it on the target device. In this case, however, the HTM contains a link to a credential-stealing site.

Also Read: Intrusion Into Privacy All About Law And Legal Definition

In some cases (marked with an asterisk), these destinations are legitimate WordPress sites that were compromised to steal credentials, so no alarms will be raised by internet security or email protection tools when the victim lands on them.

Based on the URLs shared by Proofpoint, some of the universities targeted in these attacks include the University of Central Missouri, Vanderbilt, Arkansas State University, Purdue, Auburn, West Virginia University, and the University of Wisconsin-Oshkosh.

Snatching Duo OTPs

To bypass MFA (multi-factor authentication) protection on targeted university login pages, the threat actors have also created landing pages that spoof a DUO MFA page, which is used to steal the one-time passcodes sent to students and faculty.

After a victim enters their credentials on the spoofed login page, the victim is requested to enter the code they received via SMS on their phone so that actors can snatch it and use it directly to take over the account.

Spoofing the Duo MFA system
Spoofing the Duo MFA system
Source: Proofpoint

This step requires immediate action since OTPs have short expiration times. 


Office 365 credentials can be used by malicious actors to access the corresponding email account, send messages to other users in the workgroup, divert payments, and further the phishing to steal more valuable accounts.

Additionally, the actor can access and exfiltrate sensitive information stored in the account’s OneDrive and SharePoint folders.

These phishing attacks could potentially lead to damaging BEC incidents and highly-disruptive ransomware infections for universities.

HTM files are opened in a browser, so technically, you can never be 100% safe. Do not give in to the curiosity if you receive one as an attachment in an unsolicited email.

Just mark the message as spam and delete it.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us