Higher education is facing a new wave of targeted account takeover attacks that blend trust, deception, and speed.

Cybercriminals begin by sending phishing emails from compromised university accounts, using authoritative language and familiar institutional themes to bypass suspicion. From there, targets are funneled to spoofed sign-in portals that perfectly mimic university login pages. Then, purpose-built phishing kits harvest both credentials and Duo one-time passwords (OTPs) through seamless multi-step flows. With these details in hand, attackers swiftly hijack accounts, hide their tracks with malicious mailbox rules, and launch lateral phishing campaigns within the same organization.

Abnormal researchers have identified more than 40 compromised organizations and over 30 targeted universities and colleges in this campaign. This blog unpacks how the campaign works, its potential impact on educational institutions, and what security leaders can do to defend against it.

The first phase of the attack is a phishing email notifying the recipient of a time-sensitive matter requiring their attention. The theme of the messages in this campaign encompasses a wide range, but the primary motifs include staff appreciation and award eligibility, health advisories and contact tracing alerts, payroll updates, and insurance coverage verification.

While the pretext varies, the objective is consistent: convince the recipient to click the embedded link, which redirects to a fraudulent login portal.

A significant percentage of the emails are sent from compromised university accounts, allowing threat actors to operate from within a trusted environment. This not only evades external-facing protections but also increases the appearance of authenticity.

In the first example, attackers use a compromised faculty member’s account at a private university to target other faculty and staff at the institution. The message claims there are discrepancies in select employee health insurance policies and instructs recipients to log into the university’s portal and confirm the status of their insurance to avoid any disruption in coverage.

The next example—sent to a different, public university from a compromised account—purports to be a reminder about an upcoming awards luncheon celebrating all staff members who have reached significant service milestones. It invites recipients to confirm their eligibility as an honoree by using the provided link to access the "Verification Portal".

This particular phishing lure appears to have been AI-generated, based on analysis by an AI content detection tool. Leveraging AI-generated text enables attackers to rapidly scale operations by facilitating the production of varied and convincing institution-specific lures with minimal manual effort.

One particularly noteworthy aspect of this campaign is that, regardless of the lure used, the tone of the emails is pressing but measured. The attackers are clearly attempting to manipulate targets and compel them to act sooner rather than later, but they opt not to fabricate especially dire circumstances the way some other threat actors do.

In one case, the lure is fear-based, playing on concerns of losing health insurance coverage. In the other, the lure is reward-based, relying on positive reinforcement and appealing to the target’s professional pride. These tactics could be enough to not trigger suspicion in targets who know to be skeptical of emails with requests that threaten serious consequences if the recipient doesn’t act immediately.

Threat actors primarily took one of two approaches to the credential harvesting and one-time password (OTP) interception phases of the attack. The first approach was the most straightforward, embedding a direct link to the fraudulent login portal in the initial email and including only two malicious pages: one to capture login credentials and another to capture the OTP.

Credential Harvesting

For targets in this variant of the attack flow, clicking on the link in the email sends them directly to a cloned version of the targeted organization’s authentication portal. The phishing page is indistinguishable from the legitimate site and includes expertly impersonated branding, layout, and static front-end elements to build trust with the target.

The underlying code captures credentials through a simple JavaScript event handler. When the target enters their username and password and clicks the Submit or Login button, the script intercepts the form submission, prevents it from being sent normally, and instead appends the credentials as URL parameters to the next page. This ensures that the attacker can seamlessly carry the stolen data into the next stage of the phishing flow.

This technique bypasses server-side handling at this stage and simply redirects the target to the one-time password (OTP) capture step, while embedding the stolen credentials into the URL for later use.

Duo One-Time Password (OTP) Collection

The phishing template includes a second form specifically designed to capture the target’s Duo OTP, a time-based code generated by the Duo Mobile multifactor authentication app, which is required to complete the login process. This form appears immediately after the credential prompt, reinforcing the illusion of a legitimate two-factor authentication flow.

​​The code handling this step retrieves the username and password from the URL (passed forward from the first stage) and then captures the target’s one-time code when it is submitted. Unlike the first stage, this data is not just passed along in the URL. Instead, it is exfiltrated to the attacker’s server via an AJAX POST request to a PHP script.

Once the OTP has been submitted, the phishing page immediately redirects the target to the legitimate university website. This redirection serves two purposes. First, it reduces suspicion by reinforcing the illusion of legitimacy, creating the impression that the authentication process was successful. Second, it ensures the target believes they have completed the requested update, despite no successful sign-in taking place.

Explore other attack variants. Download the report →

After the target has interacted with the phishing email, provided their credentials, and submitted the second-factor authentication details, the threat actor proceeds with the next stage of the attack: account takeover.

The threat actors leveraged access to the compromised accounts, employing typical techniques for financially motivated email attacks, including reconnaissance, mail filter rule creation, and lateral phishing. A major focus of the post-compromise phase was on establishing persistence and scaling the campaign by weaponizing the targeted environment itself.

One observed tactic involved the creation of mailbox rules designed to support and conceal large-scale lateral phishing campaigns. These rules suppressed or redirected messages that could alert the account owner, reducing the likelihood that suspicious activity would be noticed.

The attackers used the compromised accounts to send additional phishing emails to other members of the same organization. These emails replicated the content and infrastructure described earlier in the report, including cloned login portals and credential-harvesting pages.

In some instances, attackers also deployed financially oriented mail filters aimed at data exfiltration. These rules automatically forwarded payroll and direct deposit–related communications to external attacker-controlled email addresses, allowing sensitive financial details to be siphoned off without requiring continuous manual access.

By combining lateral phishing with financial exfiltration, the actors expanded the number of compromised accounts and enabled direct monetization of access via payroll fraud.

The attackers' strategic focus on educational institutions reflects an understanding that academic environments present unique vulnerabilities. Specifically, decentralized communication patterns, diverse user populations with varying security awareness levels, and institutional cultures that prioritize accessibility over rigid security controls create ideal conditions for threat actors.

By weaponizing familiar academic processes such as staff recognition programs and administrative notifications, cybercriminals effectively transform routine institutional communications into attack vectors. This creates significant operational disruption potential. Observed and likely scenarios include:

• Account lockouts and helpdesk overload, as compromised accounts require mass resets.

• Loss of trust in institutional email, undermining communication among students, faculty, and staff.

• Payroll fraud and financial losses, enabled by malicious mailbox rules forwarding sensitive data externally.

• Research and partner risk, with attackers potentially accessing grant-related data and targeting government or commercial collaborators.

• Reputational harm, as faculty and students question the university’s ability to secure core services.

Explore the complete victimology. Download the report →

Security professionals must recognize that modern threat actors increasingly operate with the strategic planning and operational discipline traditionally associated with advanced persistent threat groups. The commoditization of sophisticated attack techniques requires corresponding evolution in defensive capabilities, emphasizing behavioral detection over signature-based approaches and comprehensive user education that addresses the psychological manipulation techniques central to these evolving campaigns.

More specifically, security leaders need to take the following strategic actions:

• Fortify identity and mailbox protections (e.g., shorten OTP validity, block risky inbox rules).

• Enforce risk-based access controls that evaluate device trust and geolocation.

• Deliver targeted security awareness training focused on compromised-account phishing and multi-step OTP capture flows.

• Deploy advanced detection capable of identifying phishing attacks that exploit trusted cloud services.

• Implement behavioral account protection to detect and remediate compromised accounts in real time.

• Continuously monitor SaaS posture across Microsoft 365 and Google Workspace.

Educational institutions face unique challenges, but with the right identity protections, behavioral analytics, and targeted training, these campaigns can be detected and stopped before damage occurs. Defenders must match attackers’ strategic planning with equally strategic defenses, building resilience across both technology and human layers.

Download the Complete Report

This blog post only scratches the surface of this campaign. The full report includes:

• Strategic URL obfuscation techniques

• Additional attack variants

• Analysis of attacker infrastructure

• Detailed JavaScript snippets revealing OTP theft

• Campaign evolution over time

• Complete victimology and list of IOCs

Download Compromising Campus Accounts: Attackers Harvest Credentials and Duo OTPs for Account Takeover today.