<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">CoIT Members,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We are sharing this threat advisory with you.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="color:#2F5496">April Goode, MBA, SPP<br>
</span></b><span style="color:#2F5496">Director of OneNet Strategic Planning and Communications<br>
Oklahoma State Regents for Higher Education<br>
405.225.9251<br>
<a href="mailto:april@onenet.net" target="_blank"><span style="color:blue">april@onenet.net</span></a></span><o:p></o:p></p>
<div id="divtagdefaultwrapper">
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">>>>><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
<div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">Subject: Threat Advisory: Higher Education Alert ( OK-ISAC )<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p><span style="color:black">Good Morning, </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="color:black">Passing along a threat advisory from Texas A&M and provided by the OK-ISAC on a phishing campaign targeting Higher Education. Please see the summary below along with additional details such as IOCs in the attached file.
</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="color:black">Summary</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="color:black">On September 17, 2021, the Texas A&M Engineering Cyber Response Team (CRT) became aware of a widespread targeted phishing campaign by a persistent threat actor. This campaign is targeting higher education institutions with the goal
of gaining access to those institutions' mail servers to engage in further phishing attacks internally and externally. CRT analysts assess that the primary goal of this campaign is to leverage trusted mail infrastructure to conduct phishing attacks against
financial sector customers, however, the group may additionally make use of gathered credentials for other operations. This actor has engaged in this activity since early 2017 and has engaged with nearly identical tradecraft over the past four years. They
have recently proven their capability to bypass 2FA by prompting users to provide OTPs or approve requests.</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="color:black"> </span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><b><span style="color:black">Details</span></b><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="color:black">In this phishing campaign, the actor was successful in phishing and bypassing Two-Factor Authentication (2FA) against UNIVERSITY with upwards of 15 compromised user accounts. The actor used a consistent method to access these 2FA
protected accounts. The actor harvested credentials and the DUO Mobile Passcode from USER. The actor immediately used USER’s credentials and DUO Mobile Passcode to authenticate to UNIVERSITY’s account management service. This allowed the actor to add a new
device to USER’s DUO profile for 2FA. With an actor-controlled device added for 2FA, the actor authenticates to Microsoft Office 365 using USER’s credentials and a 2FA DUO push responded to on the actor-controlled phone. The actor authenticates to the Exchange
Outlook Web Application from the actor-controlled phone. The actor then authenticates to UNIVERSITY’s Virtual Open Access Lab environment using the DUO Mobile Passcode from the actor-controlled phone. With this access, the actor downloaded mass mailing applications
and began sending internal and external phishing emails.</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="color:black">Thanks, <br>
Chris Kosciuk</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p><span style="font-size:12.0pt;color:black"> <o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>