How MFA-Based Phishing Campaigns are Targeting Schools

Multi-factor authentication (or MFA) based phishing campaigns pose a significant threat, as they exploit the trust of users and the security mechanisms designed to protect them against unauthorized access.

We know that many attackers have turned their attention to schools, colleges, and universities because of the perceived high value of data that can be gained and low stakes of entry due to budget constraints. 

In the last few months, it seems a lot of cyber attack campaigns have begun utilizing methods that target MFA credentials. 

Let’s take a look at how cyber criminals use these campaigns to gain access to sensitive data and what your organization can do to prevent it.

What is an MFA-Base Phishing Attack?

A multi-factor authentication-based phishing attack or campaign is a type of cyberattack in which threat actors attempt to steal sensitive information by tricking individuals into providing it through deceptive means.

These attacks use social engineering techniques, such as phishing emails or fraudulent websites, and aim to compromise administrator email accounts and deliver ransomware. Once obtained, attackers can use this information (which can include login credentials or personal data) to bypass the MFA process and gain unauthorized access to the victim’s accounts or sensitive data.

MFA-based campaigns specifically target the multi-factor authentication process—which typically involves using a combination of two or more authentication factors, such as passwords, security tokens, or biometric verification, to check a user’s identity. 

Attackers are increasingly employing tactics to bypass these protections, which were previously considered robust security measures.

The Rise of Phishing Attacks Targeting School Districts

Since December 2023, according to research by the cybersecurity firm PIXM, there has been a notable increase in MFA-based phishing campaigns directed at teachers, staff, and administrators in public schools across the United States. 

The purpose? Many cybersecurity threats are increasingly interested in student data, including personal details, academic records, and financial information.

Stolen student data can be used to impersonate students to access online accounts, apply for loans or credit cards, or make unauthorized purchases. Cybercriminals can also sell stolen student data on the dark web to other malicious actors or use it to carry out ransomware attacks.

Educational institutions often have diverse and trusting user populations, including students who may be less experienced in recognizing phishing attempts. Attackers exploit this trust by using social engineering tactics to trick students into divulging their login credentials and MFA codes.

How a Typical FMA Phishing Campaign Works

The purpose of MFA phishing attacks is to trick students, faculty, and staff into divulging their login credentials and MFA codes. Here’s how they typically target schools:

1. Phishing emails: Attackers can send deceptive emails to students, faculty, or staff members, posing as trusted entities such as school administrators, IT support personnel, or popular educational platforms. These emails often contain urgent or enticing messages, such as account verification requests, security alerts, or offers of educational resources.
2. Fake login pages: Phishing emails may contain links to fake login pages that closely mimic the school’s official login portal or educational platforms. These fraudulent pages are designed to trick users into entering their usernames, passwords, and MFA codes, which are then captured by the attackers.
3. Social engineering tactics: Cybercriminals can also use social engineering tactics to manipulate recipients into causing a data breach without questioning the legitimacy of the request. For example, they may create a sense of urgency or fear, such as claiming that the recipient’s account has been compromised or that they need to verify their credentials to avoid account suspension.
4. Credential harvesting: Once users enter their login credentials and MFA codes on the fake login pages, the information is harvested by the attackers. They can then use these stolen credentials to gain unauthorized access to school district accounts, sensitive data, and online learning platforms.
5. Account takeover and data theft: With access to school accounts, attackers can carry out various malicious activities, including stealing sensitive information, distributing malware, sending phishing emails from compromised accounts, or conducting further attacks targeting the school’s network or other users.

FMA Campaign Technologies

Phishing-as-a-Service (PhaaS) platforms like dadsec and phishingkit play a crucial role in these campaigns, too, by providing attackers with stealthy features to compromise administrator email accounts and deliver ransomware. These platforms, in fact, enable threat actors to create custom login experiences, spoof legitimate emails, and bypass MFA tokens and session controls.

By utilizing PhaaS services, malicious groups can point victims to legitimate-looking sites or easily use targeted emails impersonating real school members. And, through sophisticated infrastructure like C2 servers, domain generation algorithms, and SSL certificates, they can harvest credentials and evade detection.

Groups like Tycoon and Storm-1575 have been focusing on information that can be exploited for various purposes, including identity theft and financial fraud. These threat actors have been linked to targeted spear phishing attacks on US school districts, bypassing MFA protections to gain unauthorized access to sensitive information. Storm-1575 specifically targets Microsoft 365 credentials, while Tycoon offers MFA bypass as a service.

The fact that more advanced phishing groups are targeting schools with MFA-based scams shows how cyber threats against schools are getting more complex (as well as how low attackers will stoop). Attackers are using smarter methods to trick schools and get into their systems. To keep students’ private information safe, schools need strong cybersecurity and education about these kinds of scams.

How to Combat These Attacks

As mentioned earlier, student data presents an attractive target for cybercriminals due to its value and the potential for financial gain or further malicious activities. To mitigate the risk of falling victim to such attacks, schools need to establish strong cybersecurity measures and training. For instance:

1. Conduct regular cybersecurity awareness training: It’s a good idea to run frequent cybersecurity awareness sessions for students, faculty, and staff members to educate them on various phishing techniques. Teach them how to recognize suspicious emails and what steps to take if they encounter such emails.
2. Utilize a trusted cybersecurity framework: When it comes to cybersecurity protection, schools don’t need to start from scratch. There are several frameworks schools can select that offer a path to stronger cybersecurity. These include NIST CSF 2.0, CIS Controls, K12 SIX Essential Protections, and the Global Education Security Standard (GESS).
3. Implement email filtering and spam detection: Set up robust email filtering and spam detection systems to automatically block phishing emails before they reach users’ inboxes. This helps prevent users from falling victim to phishing attacks.
4. Enable Multi-Factor Authentication (MFA): Even if some attackers are getting around it, by and large, MFA still adds an extra layer of security by requiring users to provide additional verification, such as a code sent to their mobile device, along with their password, to access their accounts.
5. Monitor for suspicious activity: Continuously monitor school accounts for any suspicious login attempts or unusual activity. This proactive approach allows the IT security team to detect and respond to potential security breaches promptly.
6. Develop a cyber incident response plan: When something goes wrong (no longer “if”), your school or university should have an action plan because every minute counts when compromised. Consider creating a team of first responders and utilizing your community for support. 
7. Encourage reporting: Encourage users to report any phishing emails or suspicious activity they encounter to the school’s IT security team. Prompt reporting enables quick investigation and remediation of potential security incidents.
8. Stay informed and proactive: Stay updated on the latest phishing trends and cyber threats targeting the education sector. By staying informed, the school can proactively adapt its security measures to protect against evolving threats and ensure the security of its systems and data.

If you need more specific protection at an affordable price, Coro provides advanced email security features to detect and block phishing emails targeting students and staff. By using machine learning algorithms and threat intelligence, we can instantly identify suspicious email patterns, malicious attachments, and phishing links commonly used in MFA-based attacks.

Our endpoint protection solutions can safeguard school devices, including computers, laptops, and mobile devices, against malware, ransomware, and other malicious threats. And, in the event of a successful phishing attack, Coro provides incident response and remediation services to help schools contain the breach, mitigate the impact, and restore normal operations.Contact us today to learn more about our comprehensive modular cybersecurity platform.