Multi-factor authentication (or MFA) based phishing campaigns pose a significant threat, as they exploit the trust of users and the security mechanisms designed to protect them against unauthorized access.
We know that many attackers have turned their attention to schools, colleges, and universities because of the perceived high value of data that can be gained and low stakes of entry due to budget constraints.
In the last few months, it seems a lot of cyber attack campaigns have begun utilizing methods that target MFA credentials.
Let’s take a look at how cyber criminals use these campaigns to gain access to sensitive data and what your organization can do to prevent it.
A multi-factor authentication-based phishing attack or campaign is a type of cyberattack in which threat actors attempt to steal sensitive information by tricking individuals into providing it through deceptive means.
These attacks use social engineering techniques, such as phishing emails or fraudulent websites, and aim to compromise administrator email accounts and deliver ransomware. Once obtained, attackers can use this information (which can include login credentials or personal data) to bypass the MFA process and gain unauthorized access to the victim’s accounts or sensitive data.
MFA-based campaigns specifically target the multi-factor authentication process—which typically involves using a combination of two or more authentication factors, such as passwords, security tokens, or biometric verification, to check a user’s identity.
Attackers are increasingly employing tactics to bypass these protections, which were previously considered robust security measures.
Since December 2023, according to research by the cybersecurity firm PIXM, there has been a notable increase in MFA-based phishing campaigns directed at teachers, staff, and administrators in public schools across the United States.
The purpose? Many cybersecurity threats are increasingly interested in student data, including personal details, academic records, and financial information.
Stolen student data can be used to impersonate students to access online accounts, apply for loans or credit cards, or make unauthorized purchases. Cybercriminals can also sell stolen student data on the dark web to other malicious actors or use it to carry out ransomware attacks.
Educational institutions often have diverse and trusting user populations, including students who may be less experienced in recognizing phishing attempts. Attackers exploit this trust by using social engineering tactics to trick students into divulging their login credentials and MFA codes.
The purpose of MFA phishing attacks is to trick students, faculty, and staff into divulging their login credentials and MFA codes. Here’s how they typically target schools:
Phishing-as-a-Service (PhaaS) platforms like dadsec and phishingkit play a crucial role in these campaigns, too, by providing attackers with stealthy features to compromise administrator email accounts and deliver ransomware. These platforms, in fact, enable threat actors to create custom login experiences, spoof legitimate emails, and bypass MFA tokens and session controls.
By utilizing PhaaS services, malicious groups can point victims to legitimate-looking sites or easily use targeted emails impersonating real school members. And, through sophisticated infrastructure like C2 servers, domain generation algorithms, and SSL certificates, they can harvest credentials and evade detection.
Groups like Tycoon and Storm-1575 have been focusing on information that can be exploited for various purposes, including identity theft and financial fraud. These threat actors have been linked to targeted spear phishing attacks on US school districts, bypassing MFA protections to gain unauthorized access to sensitive information. Storm-1575 specifically targets Microsoft 365 credentials, while Tycoon offers MFA bypass as a service.
The fact that more advanced phishing groups are targeting schools with MFA-based scams shows how cyber threats against schools are getting more complex (as well as how low attackers will stoop). Attackers are using smarter methods to trick schools and get into their systems. To keep students’ private information safe, schools need strong cybersecurity and education about these kinds of scams.
As mentioned earlier, student data presents an attractive target for cybercriminals due to its value and the potential for financial gain or further malicious activities. To mitigate the risk of falling victim to such attacks, schools need to establish strong cybersecurity measures and training. For instance:
If you need more specific protection at an affordable price, Coro provides advanced email security features to detect and block phishing emails targeting students and staff. By using machine learning algorithms and threat intelligence, we can instantly identify suspicious email patterns, malicious attachments, and phishing links commonly used in MFA-based attacks.
Our endpoint protection solutions can safeguard school devices, including computers, laptops, and mobile devices, against malware, ransomware, and other malicious threats. And, in the event of a successful phishing attack, Coro provides incident response and remediation services to help schools contain the breach, mitigate the impact, and restore normal operations.Contact us today to learn more about our comprehensive modular cybersecurity platform.