LARGE UNIVERSITY 365 ADMIN BREACH DISCOVERED

During an incident response triage workflow, a Roadmap security analyst discovered that a suspected email based phishing attack was not only malicious but appeared to come from a nationally recognized University in the United States.

While it may sound like this school got into the hacking
business, this security event in most cases just confirms
that one or more users’ email accounts have been
compromised and are being used for malicious
purposes unknown to them.
However, in this case, the email address used did not
conform to the University typical email address patterns, which raised another red flag to Roadmap’s analysts.

Upon reaching out to and further discovery with the
University, un-authorized admin access had been
discovered and confirmed to have been created from a
remote location.

W H Y  I S  T H I S  I M P O R T A N T

This level of unknown access grants an attacker infinite
privileges to harm both the University, as well as steal
their trusted reputation to harm others.
Identification of this type of breach is imperative in
preventing advanced cyber incidents such as
ransomware and sensitive data exposure.

 Initial Discovery

• Email-based phishing attack was
  forwarded to Roadmap’s incident
  response team for analysis.

Triage

• Email confirmed to have embedded
  attachment containing advanced
  malware disguised as an invoice
• Embedded HTML file utilizes several
  obfuscate and persistence
  techniques to evade detection and
  run PowerShell commands
• Origin confirmed as a large
  University in the United States
• Email account created for
  malicious purposes unknown to the
  University security team
• Admin access from an unauthorized remote location
  discovered