A KnowBe4 Threat Lab Publication
Authors: Jeewan Singh Jalal, Anand Bodke, Daniel Netto and Martin Kraemer
Executive Summary
KnowBe4’s Threat Lab recently observed a phishing campaign targeting educational institutions. Over a 30 day period, 4,361 threats were reported, originating from 40 unique sender domains. 65% of these domains were compromised educational institution IDs.
The ultimate aim of these attacks was to harvest credentials resulting in the potential data loss, compromise and further phishing emails.
In 2024, the education sector has become a prime target for cybercriminals, facing a surge in ransomware and phishing attacks. Microsoft's Cyber Signals report highlights outdated IT infrastructure and weak security protocols as key vulnerabilities. With vast personal data repositories and a high risk of operational disruption, schools and universities are increasingly exploited for data theft, extortion, and disruption.
Education Sector Attack Example
In this campaign, many attacks used QR codes or hyperlinks—sometimes embedded in attachments—to direct recipients to the legitimate Google Forms service, where recipients were encouraged to input login credentials.
Step 1 - The Phishing Email
In the example below, likely targeting a faculty member rather than a student, the attacker attached a PDF containing a QR code to their phishing email. This method makes it harder for legacy technologies such as secure email gateways (SEGs) that rely heavily on signature-based detection to identify the malicious link within the attachment.
By leveraging social engineering tactics, the attacker entices the recipient to scan the QR code to access their 401(k)/payroll benefits. This shifts the interaction to a personal device, such as a mobile phone, which may lack the security controls of a work device. Once scanned, the recipient is directed to a Google Forms site, where they are prompted to enter their credentials.
Email with a PDF attachment having QR code embedded and pointing to Google Forms link
Step 2- Google Forms
Both examples below show the second stage of this education-based phishing attack, triggered after the recipient scans the QR code or clicks a malicious link in the email. By using a legitimate service like Google Forms, the attacker leverages the widespread trust individuals have in this platform, lowering their suspicion and making it more likely that they will input their data.
In the first example, the recipient (likely a high-school student) is required to enter details such as their name, age, phone number and passwords to ‘update’ their email. The fact that the attacker is explicitly asking for past and present credentials highlights their awareness that there is a current lack of security awareness amongst the younger generation, making high school students more vulnerable to social engineering.
Action demanded based on the context of school email update
In the second example, targeting a university student, the recipient is asked to provide details such as gender, age, email, and phone number to apply for an off-campus job opportunity. The supposed job is highly appealing, offering remote work and good pay—ideal for a university student.
Action demanded based on the context of Job Opportunity
The emails delivered are a combination of
- Plain text URL in the email body (53%)
- Attachment with links embedded
- Doc (18%)
- HTML (2.5%)
- Ppt (2%)
- Pdf (1%)
- Others (0.6%)
In Numbers
The table depicts a breakdown of the number of emails reported versus Top Level Domain (TLD). As can be seen the most common TLDs observed in this phishing campaign came from education domains. Analysis revealed 40 unique sender domains, with 26 of these being compromised educational institution IDs.
79% of the reported emails bypassed Exchange Online Protection as their only source of email protection. The remaining 21% got through secure email gateways (SEGs) such as Barracuda Email Security Services, Sonicwall, Ironport, Trend Micro Anti-Spam Engine, Mimecast, Proofpoint Essentials, Sophos and Symantec Messaging Gateway.
Key Campaign Characteristics
The campaign has shown the following trends and characteristics based on the reported emails that were analyzed.
- Taking advantage of job opportunities, grants, and account update needs of university students to deliver phishing emails.
- Embedding form links as either plain links or as a QR code in attachments like docx, pdf, odt, etc.
- Legitimate service Google Forms used to harvest credentials
- The aim of compromising credentials is to deliver further phishing emails.
- In case of university credentials compromised, further phishing emails to contacts in address books within university to increase authenticity of the phishing attacks.
Recommendations
- Educate on recognizing educational-specific phishing threats: Teach identification of education-related lures and provide recent examples.
- Promote safe online practices: Instruct on password management, multi-factor authentication, and sender/link verification.
- Conduct staff cybersecurity training: Offer regular, role-specific sessions with hands-on exercises.
- Implement ongoing monitoring and testing: Use automated detection, conduct simulations, and update security measures regularly.
- Strengthen Email Security: Equip students and faculty with intelligent anti-phishing tools that are able to detect and neutralize advanced threats, such as QR code phishing.
About the Threat Lab
KnowBe4 Threat Labs specializes in researching and mitigating email threats and phishing attacks, utilizing a combination of expert analysis and crowdsourced intelligence. The team of seasoned cybersecurity professionals investigates the latest phishing techniques and develops strategies to preemptively combat these threats.
By harnessing insights from a global network of participating customers, KnowBe4 Threat Labs delivers comprehensive recommendations and timely updates, empowering organizations to protect against and respond to sophisticated email-based attacks. The Threat Labs are KnowBe4’s commitment to innovation and expertise, ensuring robust defenses against the ever-evolving landscape of cyber threats.
Here's how it works:
