What we know:
Ivoryware Analysts are currently monitoring a drastic spike in reports of primarily Mid-West University business email account(s) compromised via phishing attacks.
Both employee and server-based addresses appear to be targeted. In many cases, this indicates that the attacks are sent to many targets making them less personalized and slightly easier to identify as malicious.
Once an account is compromised, attackers are piggybacking off their .edu and University reputation to solicit:
Large quantities of products such as laptops from Managed Service Providers (MSP) and supply chain organizations while representing an official university executive.
MSP and supply chain manager's Microsoft credentials. (Purpose not yet know)
These types of attacks are tremendously harmful to victims' reputations as well as financial loss and often lead to complicated legal concerns regarding whom is at fault for damages.
Current Pro-active Suggestions:
1. Make school officials, help desk, and incident response teams aware of this ongoing threat to scale up monitoring and refresh security incident response procedures.
2. Check for new exchange forwarding rules being created and compare results with acceptable use case policies.
3. Consider implementing an internal domain password reset and review password reset group policies.
4. Review your security awareness training program and ensure all end-users have completed, at a minimum, basic security concept training.
5. Deploy a phishing assessment that appears to come from Microsoft and attempts to obtain user credentials.