Campus account takeover campaigns are bypassing MFA in higher education

At a glance

What this is: This is an analysis of a higher-education account takeover campaign that uses compromised university identities, cloned portals, and OTP theft to spread phishing and payroll fraud.

Why it matters: It matters because IAM, PAM, and identity lifecycle teams need controls that detect compromised senders, suppress malicious inbox rules, and treat trusted internal identity as a potential attack path.

By the numbers:

• Abnormal researchers identified more than 40 compromised organizations in this campaign.
• The campaign targeted over 30 universities and colleges.

👉 Read Abnormal AI's analysis of campus account takeover and Duo OTP theft

Context

Higher education phishing is not only a mailbox problem. It is an identity trust problem, because the attacker gains reach by sending from compromised university accounts and then reusing that legitimacy to bypass external filters and user suspicion.

The campaign combines credential capture, OTP interception, mailbox rule abuse, and lateral phishing. For IAM and identity governance teams, the important question is why institutional trust is still allowed to operate as an access accelerator once an account is compromised.

Key questions

Q: How should security teams respond when a trusted internal account starts sending phishing emails?

A: Treat the sender as potentially compromised immediately, even if the message originated inside the organisation. Contain the account, review recent sign-ins, inspect mailbox rules, and search for similar messages sent to peers. Internal trust can no longer be treated as evidence of legitimacy once the account itself is the delivery vehicle.

Q: Why do Duo OTPs and similar one-time codes still fail against phishing?

A: They fail when attackers can control the entire login flow and capture both the primary credential and the second factor in sequence. A code proves that the user entered a code, not that the session was genuine. Phishing-resistant authentication reduces this gap by binding the authentication event to the real origin and device.

Q: What breaks when attackers create mailbox rules after account takeover?

A: Visibility breaks first, because alerts can be suppressed or redirected before the user notices suspicious activity. Then value extraction starts, because the same mailbox can forward payroll or finance mail externally and support lateral phishing. Inbox governance must therefore be treated as a compromise-detection control, not just an admin setting.

Q: Which identity controls matter most when phishing comes from compromised university accounts?

A: Prioritise authentication monitoring, mailbox-rule controls, and behavioural detection on internal senders. External filtering alone is insufficient because the attacker already has a trusted origin. University environments should also review access to payroll, finance, and administrative mailboxes more aggressively than general user accounts.

Technical breakdown

Compromised sender trust in university phishing

The first control failure is trust in the originating identity. When an attacker sends from a compromised university mailbox, external filters and users both treat the message as more credible, even if the content is malicious. That changes the risk profile from generic phishing to internalised phishing, where the organisation’s own identity fabric becomes the delivery channel. In decentralized environments, the attack scales because local trust is distributed across departments and campuses, while security controls are often centralised and reactive.

Practical implication: monitor for trusted-sender abuse and account behaviour changes, not just inbound spam.

OTP interception through cloned login flows

The phishing kits described here use a multi-step flow that captures username, password, and Duo OTPs before redirecting the victim to a real university site. The technical trick is not only cloning the sign-in page, but preserving the illusion of a legitimate MFA journey while exfiltrating the second factor through AJAX POST requests. That matters because OTP interception defeats assumptions that a one-time code proves a genuine authentication event. The resulting session can look clean at the edge while still being attacker-controlled.

Practical implication: pair MFA with phishing-resistant authentication and inspect authentication telemetry for unusual sequence patterns.

Mailbox rules as post-compromise persistence

After takeover, attackers create mailbox rules to suppress alerts, forward payroll mail externally, and support lateral phishing. These rules turn the mailbox into a persistence layer, because the attacker no longer needs constant interactive access to keep harvesting value. The failure is governance over post-authentication change, not only login security. Once inbox rules can be added quietly, the attacker can hide evidence, expand reach, and monetise access through payroll fraud without triggering obvious user complaints.

Practical implication: alert on new forwarding and suppression rules as high-confidence compromise signals.

Threat narrative

Attacker objective: The attacker wants durable access to university mailboxes that can be used to steal credentials, redirect financial communications, and spread phishing internally.

1. Entry occurs when victims receive phishing emails sent from compromised university accounts, which helps the lure bypass suspicion and external filtering.
2. Credential access happens when the target enters username, password, and Duo OTP details into a cloned portal that captures the data and then redirects the user to a real university site.
3. Escalation follows account takeover, mailbox-rule creation, and lateral phishing from the compromised identity, which expands the blast radius inside the same institution.
4. Impact includes payroll fraud, external forwarding of sensitive mail, helpdesk overload, and loss of trust in institutional email communications.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Trusted internal identity has become an attack delivery system, not just an authentication boundary. The campaign works because compromised university accounts inherit institutional credibility that external filters and human recipients are inclined to trust. That creates a governance gap across IAM, email security, and user behaviour, because the organisation’s own identity fabric is now the phishing infrastructure. Practitioners should treat internal sender trust as a control surface, not a default assumption.

Multi-step OTP capture shows why MFA strength is not the same as phishing resistance. The portal flow captures primary credentials and Duo one-time passwords, then hands the victim back to a legitimate site so the compromise feels complete. This is a reminder that OTP-based MFA can still be socially and technically bypassed when the attacker controls the interaction sequence. Security teams need to distinguish authentication success from identity assurance.

Mailbox-rule persistence is the specific failure mode this campaign exposes. The critical governance assumption is that post-authentication mailbox state changes remain visible long enough for defenders to intervene. That assumption fails when attackers create forwarding and suppression rules immediately after takeover, because the mailbox becomes both a hiding place and a relay point. The implication is that inbox governance must be treated as part of identity lifecycle control, not only email administration.

Higher education’s decentralised operating model magnifies identity abuse. Universities combine distributed trust, variable security maturity, and high communication volume, which gives attackers room to blend in with ordinary administrative traffic. That does not make the sector uniquely weak, but it does mean identity compromise spreads faster once a single account is lost. Practitioners should design for institutional trust abuse, not only external phishing volume.

Institution-specific lure generation is compressing the attacker’s campaign cycle. AI-generated phishing text reduces the manual effort required to vary themes, tone, and target groups across campuses and departments. That does not change the identity controls required, but it does raise the speed at which attackers can test and refine delivery. The practical conclusion is that security programmes need behavioural detection and inbox governance that can keep pace with campaign adaptation.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
• For lifecycle and exposure control patterns, see 52 NHI Breaches Analysis for how compromised credentials and standing access turn into sustained abuse.

What this signals

Credential theft campaigns now succeed by abusing internal trust, not only by bypassing external perimeter controls. The operational signal for practitioners is that sender reputation, inbox rule governance, and identity telemetry must be analysed together. In environments like higher education, decentralised administration makes that join even more important.

Institution-specific phishing at scale changes the security-awareness problem. When attackers can tailor lures to payroll, awards, health notices, and insurance updates, awareness training has to address familiar institutional pretexts rather than generic phishing language. That is especially true where one compromised mailbox can become the launch point for multiple follow-on attacks.

The right programme response is to treat email, identity, and access governance as one control surface. If a trusted mailbox can forward sensitive communications externally and distribute phishing internally, then the boundary between authentication, detection, and lifecycle control is already too loose.

For practitioners

• Detect compromised sender behaviour Alert on unusual sending volume, new recipients, and message patterns from internal university accounts, especially when the sender identity has recent sign-in anomalies or impossible travel signals.
• Harden inbox rule governance Block or review high-risk mailbox rules that forward mail externally, suppress alerts, or auto-delete messages, and treat new rule creation as a high-priority compromise indicator.
• Reduce OTP replay value Shorten one-time password validity where possible and prefer phishing-resistant authentication for staff accounts that can access payroll, finance, or administrator workflows.
• Correlate email and identity telemetry Join mailbox rule creation, authentication events, and sign-in risk into a single investigation path so takeover does not remain visible only inside one control plane.
• Train for internalised phishing Use examples where the attacker appears to be a colleague, a department, or a campus office, because compromised internal identity is the delivery mechanism in this campaign.

Key takeaways

• This campaign shows that compromised internal accounts can become the most effective phishing infrastructure inside a university.
• The evidence points to a combined failure of MFA resistance, inbox governance, and behavioural detection, not a single broken control.
• Teams that want to reduce this risk need tighter mailbox-rule monitoring, phishing-resistant authentication, and joined-up identity telemetry.

Key terms

• Compromised Sender Trust: A condition where phishing messages sent from a legitimate internal account inherit enough credibility to evade suspicion and some filtering. In identity terms, the sender’s authenticated status becomes part of the attack path, which means trust must be evaluated dynamically after compromise rather than assumed at delivery time.
• Mailbox Rule Abuse: The creation of forwarding, suppression, or deletion rules inside a mailbox after takeover. These rules help attackers hide alerts, move sensitive mail to external addresses, and keep access useful even when they are not actively logged in. It is a post-authentication persistence mechanism, not just an email admin issue.
• Phishing-Resistant Authentication: An authentication method that binds the login event to the real device, origin, or cryptographic credential so an attacker cannot simply relay a code into a fake page. It materially reduces the value of captured passwords and OTPs, especially when the adversary controls the login sequence.
• Lateral Phishing: The use of one compromised account to target other people inside the same organisation. The attacker leverages internal legitimacy to increase click-through and reduce suspicion, which can rapidly expand the incident from one mailbox to a broader identity compromise across a department or campus.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: Compromising campus accounts with credential and Duo OTP theft. Read the original.