Narrowly targeted emails appear to come from students’ parents, guardians
Proofpoint researchers recently observed a highly customized and narrowly targeted phishing campaign impacting members of the education industry. Senders pose as a parent or guardian submitting an
assignment on a student’s behalf, claiming that the student encountered technical issues when trying to submit the assignment themselves. The emails attempt to lure in their targets by using an emotional plea from the “parent” to accept the assignment submission over email because the child was unable to submit the “usual way.”
Subject lines seen in the campaign included “Son's Assignment Upload,” “Assignment Upload Failure for [Name],” and “[Name]'s Assignment Upload Failed.” A malicious attachment masquerading as an
assignment—"steph-assignment.docx" inside a zip file "steph-assignment.zip,” for example—ultimately led to the download of a custom ransomware payload. Individual teachers were targeted in these attacks, their email addresses likely pulled from public pages of a school website.
This campaign seeks to take advantage of the widely acknowledged technology issues facing students, families, and educators. It’s an excellent example of threat actors leveraging timely, relevant content to lure targets into making poor decisions.
We suggest you communicate this threat to your organization’s educators and support staff as soon as possible. It is also wise to consider alerting students, parents, and guardians to attackers’ focus on this type of interaction. Though this particular campaign targeted teachers, it’s conceivable threat actors could manipulate this model in multiple ways to disrupt education institutions.
Following is suggested messaging you can use in email or other internal communication channels to alert staff members to this threat. You will find the example images in the Zip file you downloaded. They are included below for reference on placement.
If you wish to test your users’ response to this type of lure, use the “Missing Assignment (Threat Alert)”
attachment-based template in the ThreatSim® Phishing Simulations library.
We have recently learned about a phishing campaign that has been targeting educators, using infected attachments that masquerade as student assignments. As you will remember, ransomware is a type of malicious software that locks or encrypts files and systems, with the attacker demanding a ransom payment in exchange for granting access to data and devices.
Emails in this campaign have been highly targeted; messages were sent to individual teachers, with email addresses likely pulled from public pages of school websites. The sender poses as a parent or guardian submitting an assignment on a student’s behalf, claiming that the student encountered technical issues. The message attempts to lure the target by using an emotional plea from the “parent” to accept the assignment submission over email because the child was unable to submit the “usual way.”
Subject lines seen in the campaign include the following:
Son's Assignment Upload
Assignment Upload Failure for [Name]
[Name]'s Assignment Upload Failed
As seen in the first image below (partially disguised for privacy and safety), messages included a malicious attachment masquerading as an assignment. Those who interacted with the Word document inside the Zip file were prompted to “enable editing” and “enable content” (see the second image). These actions led to a ransomware infection, where files on the device were encrypted and victims were served a ransom message (like that in the third image).
Images courtesy of Proofpoint.com
This campaign seeks to take advantage of the widely acknowledged technology issues facing students, families, and educators. It’s an excellent example of a timely, relevant, and personalized phishing attack. You must remember that surface clues can be deceiving. Malicious messages can look right, sound right, and appear to come from trusted sources.
You are a critical line of defense against cyberattacks like this. Ransomware is an extremely destructive and disruptive type of malicious software. It can do considerable damage to our organization and to your personal device and files.
If you receive an unexpected email that prompts you to download a file, do not interact with it until you are certain it is safe. You must confirm the validity of any attachment that is unsolicited or is delivered outside of secure submission channels.
Remember: Scammers use publicly available information to target and tailor their attacks. These efforts fool many people—but you don’t have to fall for these tricks. Instead, apply what you’ve learned in our security awareness training program to keep your devices and data safe. And be sure to report any suspicious messages by clicking the “Report Phish” button in your email toolbar.
The online Word HTML editor converter helps you compose easily documents for websites.