These are recent Phishing examples The Office of Information Security has seen attacking the campus.
Date: 4/25/2024
Subject: REMOTE JOB PLACEMENT
Comments
- Please look at policy tips - this one said "You dont often get email from <senderaddress>
- External Tag is on
- Always be suspicious when emails pursuade you to move the conversation to text message
Date: 3/24/2024
Subject: Dr. Mark R. Ginsberg shared a document with you
Comments:
- Fake sharing document from the President
- Sender is external
- External Tag is on
Date: 3/22/2024
Multiple subjects like the ones below
Subject: Document form HP LaserJet ProScanner
Subject: Towson Signature Required"Cyrus Cronin" <Cyrus_Cronin4@hagenes-zulauf.com> - 3/25/2024
Subject: Scanned image from MX-M565N
Comments:
- External Tag
- Attachment is a document that tells you to click on a malicious link
- Sender is also external
Date: 2/12/2024
Multiple Subjects and varieties like below
Subject: Notice of Portal Termination
Subject: Notice of Termination
Subject: Opportunity for All
Subject: Job Opening for All
Subect: Work at your convenience
Comments:
- Compromised TU student sending the messages
- Link goes to a google form that is asking for email addresses, phone numbers, Words of Identification? (Passwords)
- You will then receive a text message if phone number is submitted
Date: 2/13/2024
Multiple Subjects and varieties like below
Subject: FTP Billing and Financial Aid Update 2/13/2014
Subject: Financial Aid Update
Comments:
- Compromised student sending the email
- attachment tells you to email an address and wait for more instructions
Date: 2/12/2024
Subject: You have got an urgent message from Towson University
Comments:
- External Tag
- Generic greeting
- Attacker trying to move conversation off of TU resources
Date: 2/9/2024
Subject: TOWSON administrator has started the procedure.
Comments:
- Compromised student account sending email so no external tag
- Link was to an external site
Date: 2/6/2024
Subject: W: TOWNSON UNIVERSITY NEWSLETTER!!!
Comments:
- External Tag
- Subject has Towson spelled wrong
- Attachment has a link that is broken
Date: 2/6/2024
Subject: Introducing the 2024 Assistance Program: Secure Financial Support for Families and Employees
Comments:
- External Tag
- External Sender
- External Link brings up a fake login page and tells you to check for MFA prompts
-
Date: 2/3/2024
Subject: Updated Pay Dates
Comments:
- Very Good Phish
- External Tag, Sender is from a different domain
- Link is to an external site that is a cloned Towson Page
- Asks for Duo Codes
Date: 1/29/2024
Subject: Payroll schedule 2024!
Comments:
- External Tag External Sender
- Link has non standard characters
- link goes to a Non TU URL which then impersonates our login page and then a fake Duo MFA page
- Eventually you end up with a fake payroll calendar from 2022
Date: 1/11/2024
Subject: SCHOOL UPDATE
Comments:
- External Tag, external sender
- Offer too good to be true
- Link is to a form that requests personal information, see example below
Date: 1/07/2024
Subject: Total compensation statements for towson Staffs/Non-Staffs
Comments:
- External Tag
- Sender Address is from another .edu
- Link is to a google form
- Grammar and Punctuation is incorrect
Date: 1/3/2024
Subject: MESSAGE FROM ADINM
Comments:
- Sender address is a towson student, so why would official email to change something come from that
- No external tag because of student address
- Grammar and Spelling is bad
Date: 12/19/2024
Subject: Open Enrollment for 2024 for all Towson Employee
Comments:
- External Tag is on
- Sender Address is not Towson
- PDF Attachment has a QR code with a link to a Russian URL that hosts a malicious Microsoft Credential Capturing form
- TU will never use a QR code for official communication
Date: 12/14/2023
Subject: Today@TU - 12/14/2023 | Release Messages
Comments:
- This was a good one
- External Tag is on
- Sender Address is Random characters @ another .edu
- link goes to a Non TU URL which then impersonates our login page
If credentials are entered a duo page will appear
Date: 12/11/2023 --Multiple Emails same tactics
Subject: YETI_30 OZ TRAVEL MUG Confirmation
Subject: Re: 2nd attempt for <Username>
Subject: Important for <Username>, congrats You Are Our <Month> Winner
Subject: Dicks Sporting Goods Surprise: You Are Our Today's Winner , You've been selected!
Comments:
- External Tag
- sending address is suspicious random characters @ randomcharacters.onmicrosoft.com YETI-Surprise <info_cIrOIHKUREp@xv917y1.onmicrosoft.com>
- Embedded link in the image to suspicious random characters.blob.core.windows.net/random characters https://sgqfdghqsfdtyzrt[.]blob[.]core[.]windows[.]net/sgqfdghqsfdtyzrt/url[.]html
- Random email giving away free items?
- We have seen this done with other giveaways but tactics are the same, random onmicrosoft.com sending address and random blob.core.windows.net URL and some sort of congratulations on winning something
Date: 11/6/2023
Subject: The Care Employment Opportunity
If you open the attachment
Comments:
- Not from official TU Job boards
- Offer is too good to be true
- Body of the email tells you to move the communications to a personal email platform
Date: 10/19/2023
Subject: Banks, Sean shared "Faculty Application for Employment " with you
Comments:
- Sender shared the file, but the description has a different name.
- Link is not to TU SharePoint
Date: 10/19/2023
Subject: Document for Dr. Melanie Perreault
Comments:
- External Tag
- Google Sharing
- Sender and description have a different name
- Sender is not from Towson
Date: 10/13/2023
Subject: PASSWORD RESET REMINDER
Comments:
Date: 9/20/2023
Subject: Attention: Re-authenticate 2 Factor Authentication (2Fa) for <USERNAME> on Friday-September-2023 11:28 AM
Comments:
- OTS will not ask you to scan QR codes in emails
- External Tag is at the bottom
- Sender address is not Towson
Date: 9/19/2023
Subject: About Piano
Comments:
- Offer is to good to be true
- There are various different versions of this email
Date: 9/6/2023
Subject: I Recorded You
Comments:
- Very common scam email, attackers send this to thousands and try to get one or two to send money
- The request is absurd
- Bitcoin is used all the time during scams
- If you think your account is compromised please reach out to phishing@Towson.edu
Date: 9/2/2023
Subject: Administrative Assistant/Project Coordinator
Comments:
- Offer is too good to be true
- Reply email is not associated with the University
- If you reply the attackers will try to move to another means of communication, like SMS or personal email
Date: 8/17/2023
Subject: Kindly provide your cell number that i can reach you at
OR
Subject: Available, Cell Phone Number?
Comments:
- Email address does not match name of sender
- External Tag
- The main hook is to get this conversation to another means of communication where security controls do not exist
- End game is for the user to go and buy gift cards and send the numbers to the malicious actor
- Grammar in the text message is poor
Date: 8/17/2023
Subject: Required | Towson Multi-Factor Auth
Comments:
- This is a pretty good one, there is no external tag
- If you actually did scan the QR code there were multiple redirects that ultimately ended on a malicious credential capture page
- TU does not use Microsoft MFA
Date: 7/24/2023
Subject: Gary Spencer shared "ATHLETICS INFORMATION REPORT SUMMARY" with you.
Comments
- Subject sharing name is different from the body of the email. Urgency in the body of the email
- Punctuation in body of email
- URL when you mouse over the link.
Date: 7/24/2023
Subject: Retirement Planning Sessions for the University System of Maryland Employees
Comments
- External Tag
- From Address