Higher ed phishing and OTP theft: what IAM teams need to harden

TL;DR: Attackers are using compromised university accounts, cloned sign-in pages, and Duo OTP interception to scale account takeover across 40+ organisations and 30+ universities, then hide activity with mailbox rules and lateral phishing, according to Abnormal AI. The programme gap is not MFA alone, but trust, inbox, and behavioural controls that assume institutional email remains benign.

NHIMG editorial — based on content published by Abnormal AI: Compromising campus accounts with credential and Duo OTP theft

By the numbers:

• Abnormal researchers identified more than 40 compromised organizations in this campaign.
• The campaign targeted over 30 universities and colleges.

Questions worth separating out

Q: How should security teams respond when a trusted internal account starts sending phishing emails?

A: Treat the sender as potentially compromised immediately, even if the message originated inside the organisation.

Q: Why do Duo OTPs and similar one-time codes still fail against phishing?

A: They fail when attackers can control the entire login flow and capture both the primary credential and the second factor in sequence.

Q: What breaks when attackers create mailbox rules after account takeover?

A: Visibility breaks first, because alerts can be suppressed or redirected before the user notices suspicious activity.

Practitioner guidance

• Detect compromised sender behaviour Alert on unusual sending volume, new recipients, and message patterns from internal university accounts, especially when the sender identity has recent sign-in anomalies or impossible travel signals.
• Harden inbox rule governance Block or review high-risk mailbox rules that forward mail externally, suppress alerts, or auto-delete messages, and treat new rule creation as a high-priority compromise indicator.
• Reduce OTP replay value Shorten one-time password validity where possible and prefer phishing-resistant authentication for staff accounts that can access payroll, finance, or administrator workflows.

What's in the full article

Abnormal AI's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step attack flow showing how the phishing kit captures credentials and Duo OTPs across multiple pages.
• Additional lure examples and URL obfuscation details that help practitioners recognise campaign variation.
• JavaScript and POST-request handling used to exfiltrate OTPs, useful for defenders building detections.
• Victimology and indicators of compromise that support incident triage and campaign scoping.

👉 Read Abnormal AI's analysis of campus account takeover and Duo OTP theft →

Higher ed phishing and OTP theft: what IAM teams need to harden?

Explore further

View Full Forum →  |  NHI Foundation Course →