In a recent finding from researchers at Inky, compromised popular university email accounts are being used to perform phishing attacks. The email accounts used in the phishing attacks are speculated to be victims of a credential harvesting scheme that most likely never changed their login credentials after they were compromised. The emails originate from 13 different universities such as Purdue, Oxford University of the UK, Stanford University, and others. Most security software products see emails with [.]EDU extensions as trusted so they are not flagged. In one incident the phishing email claimed that the recipient had missed a phone call and linked an attachment that purports to be the voicemail. Other threats found that that a threat actor group (TA407, which is based out of Iran) has been on the prowl since the start of the 2019 school year to harvest additional login credentials.
To stop or slow these attacks, whenever a login credential has been compromised, network administrators should disable the compromised credentials and force a reset of the password. Users of these accounts are highly recommended to enable multi-factor authentication whenever possible to not be compromised in the first place. Lastly, when an email is received that contains a link or a download, the sender of the link should be verified before opening or downloading anything.
Source Article: https://threatpost.com/university-email-hijacking-phishing-malwarephishing-malware/160735/