Skip to main content

Jul 7, 2026

2026 Attack Landscape Report: Higher Education’s 7x Lateral Attack Problem

Discover why lateral phishing and BEC thrive in higher education and how compromised accounts enable attacks to spread across campus.

Lateral attacks exploit one of the most basic assumptions in email security: that messages sent from inside the organization are more trustworthy than those originating from outside it. Once malicious activity comes from a legitimate internal account, conventional signals of sender trust and message legitimacy become far less reliable.

That risk exists in every sector, but findings from the 2026 Attack Landscape Report show it is especially pronounced in higher education. Universities experience lateral phishing and lateral BEC at rates far above the broader sample, with students facing the greatest exposure. This concentration reflects a combination of institutional structure, user behavior, account management challenges, and a culture of trust that gives compromised identities unusual reach.

Examining those conditions reveals why lateral attacks spread so effectively across campuses—and what higher education security teams must understand to stop them.

What Are Lateral Attacks?

Lateral attacks occur when threat actors gain access to a legitimate internal email account and use it to target other users within the same organization.

After compromising the account—either through a successful phishing attempt or by abusing previously exposed credentials, such as those obtained from a data breach or reused across services—attackers send messages to other users that closely mirror familiar communication styles. These emails are crafted to appear routine and trustworthy, manipulating recipients into sharing sensitive information or fulfilling fraudulent requests.

Lateral attacks take two forms, separated by what the attacker is ultimately after. Lateral phishing uses the compromised account to deliver credential-theft attempts that widen the pool of compromised accounts. Lateral business email compromise uses it to carry out financial fraud against other people in the organization. One is about spreading access; the other is about monetizing it.

What makes lateral attacks particularly dangerous is their stealth and built-in credibility.

Messages originate from a real internal account, allowing them to bypass many traditional security controls and lowering recipients' natural suspicion. That same credibility raises the success rate of both forms: credential-theft lures are more likely to be clicked, and fraudulent requests are more likely to be honored when the sender appears to be a trusted identity.

By operating from within the organization, lateral attacks also increase dwell time, complicate detection and response, and heighten the risk of data theft, financial fraud, or downstream compromise. These advantages make lateral attacks dangerous in any environment, but the data shows that they are especially prevalent—and take a distinct form—in higher education.

Why Higher Education Faces a Disproportionate Lateral Threat

Lateral phishing is rare in most industries, with just 2.3% of phishing overall originating from compromised internal accounts. In higher education, that rate is 7.1%, more than 7x the next-closest industry. For students, it climbs even higher: nearly one in eight phishing attacks they receive comes from within their own institution.

The lateral BEC picture is even more pronounced, as 33% of all BEC targeting higher education is lateral. When BEC targets students specifically, that figure jumps to 54%. Across all attack types, students show a 14.9% lateral attack rate, the highest of any job category by a wide margin, against a sample average of 2.7%.

Education's lateral problem is structurally different from the lateral attacks seen elsewhere. In most industries, lateral BEC involves a compromised employee account being used to conduct financial fraud against other parts of the organization. In higher education, the pattern is peer-to-peer: compromised student accounts are used to attack other students, typically through gift card and fake job scams that prey on a younger population more likely to engage.

The cycle is self-propagating; once one account is taken over, it becomes a trusted launchpad against the rest of the student population. But what makes higher education so much more susceptible to lateral spread than other sectors?

The Conditions That Enable Lateral Spread

Imagine if every four months, your security infrastructure had to accommodate thousands of new users. That's the reality of a university campus, and several features of this environment make it uniquely hospitable to lateral spread.

The entry points are abundant. Student populations are large, and password reuse is common, creating easy targets for credential harvesting.

Dormant accounts—belonging to alumni, transfers, or withdrawn students—often remain active long after their owners have stopped checking them, providing unattended footholds for compromise. And unlike a corporate environment where IT can enforce password policies and decommission inactive accounts on a predictable schedule, universities manage a population that is constantly turning over, with account hygiene that varies widely from student to student.

Once inside, the attacker benefits from a trust culture built around .edu addresses, with emails from these accounts carrying implicit credibility. Academic email systems are open and federated by design, and the culture tends to prioritize accessibility over restrictive security controls. That limits the friction that would otherwise slow lateral movement. Student accounts also typically receive less monitoring and security investment than staff accounts, giving threat actors more room to operate unnoticed.

Because users constantly cycle in and out of the system, these conditions don't improve over time—they reset. Every semester brings a new cohort with new credentials, new devices, and no institutional memory of last semester's attacks.

Real-World Example of Higher Ed-Targeted Lateral Phishing

One campaign stopped by Abnormal illustrates how a single compromised university account can be used to exploit the trust and familiarity of the campus environment. Posing as “[Redacted] IT Support” and using the subject line “Important Security Alert,” the message warns the recipient that their email account is scheduled for suspension.

2026 Attack Landscape Report Higher Ed Phishing Email

The email references Microsoft services and includes institutional branding to enhance legitimacy, pressuring recipients to click a “Verify My Account” link to avoid permanent deletion and loss of incoming mail.

Upon clicking the link, users are directed to a spoofed student login portal splash page that mimics an official university authentication workflow. The notice claims that the user’s Microsoft 365 account is associated with two different university portals and instructs the user to provide login credentials for both accounts. The user is warned that failure to do so may result in termination of account access.

2026 Attack Landscape Report Higher Ed Splash Page

Proceeding further leads the target to a Netlify-hosted form designed to harvest sensitive information, including personal email addresses, phone numbers, and—critically—two separate sets of Microsoft 365 credentials under the pretext of validating both “present” and “former” college email accounts.

2026 Attack Landscape Report Higher Ed Credential Harvesting Form

The use of a legitimate .edu email address, familiar branding, and high-pressure consequences that discourage scrutiny make this lure especially effective. Additionally, by hosting the credential-capture page on Netlify rather than on platforms that prohibit password collection—such as Google Forms—the attacker maximizes the likelihood of data theft.

If successful, the stolen credentials enable account takeover, inbox rule manipulation, and further lateral phishing from newly compromised accounts, significantly increasing dwell time, blast radius, and the risk of broader data exposure or follow-on attacks across the organization.

What Makes This Lateral Phishing Attack Difficult to Detect

Lateral phishing exposes a fundamental weakness in email security tools that treat internal senders as inherently trustworthy.

Because these messages originate from legitimate, authenticated accounts, they pass SPF, DKIM, and DMARC checks and carry no external reputation risk. The content mirrors familiar IT notifications, with accurate branding and service references, leaving static rules and keyword-based detection largely ineffective. Low sending volume and internal targeting further reduce suspicion, allowing legacy tools to overlook malicious intent simply because the sender is already trusted.

Catching an attack like this one requires evaluating how an identity behaves, not just whether it is valid. Behavioral AI establishes a baseline for each sender—the messages they normally send, the recipients they normally contact, the institution's typical IT communications—and an anomaly detection engine flags deviations from that baseline. A compromised account that suddenly sends a mass security notification, using a template it has never used before, stands out against that baseline even though every authentication check passes.

No single signal is necessarily decisive. The attack becomes visible only when sender behavior, message content, recipient patterns, and destination infrastructure are evaluated together.

Rethinking Defense for Higher Education

Higher education cannot eliminate every condition that enables lateral attacks. Universities will continue to manage large, constantly changing populations; support open collaboration; and rely on email as a primary channel for academic, administrative, and student communication.

That means the most practical defensive shift is to stop treating a successfully authenticated sender as a sufficiently trusted one. Authentication can confirm that a message came from a real account, but it cannot confirm that the person controlling that account is still the legitimate user.

Security teams should instead look for changes in behavior: an account contacting unfamiliar recipients, sending an unusual volume of messages, introducing a new type of request, or directing users to infrastructure it has never used before.

Lateral attacks turn institutional trust into an attack path. Defending against them requires preserving that trust without extending it blindly—and recognizing when an ordinary account begins behaving extraordinarily.

The threats your organization faces are shaped by how it operates. The 2026 Attack Landscape Report shows you exactly how.

Download the Report

Protect Against Evolving Email Threats

See how behavioral AI detects attacks that legacy defenses miss.