Example of Hijacked Student Accounts to Launch BEC-Style Attack



Business Email Compromise (BEC) attacks are some of the most popular and devastating attacks out there. They work, broadly, by sending an email from a spoofed or legitimate address and then asking someone to do something. 

The spoofed address variety are difficult to spot, although a clue usually lies in the reply-to address. When an account is compromised, and then used to send out BEC-style emails, it becomes really hard to identify.

Though this is an example shared out of the US, this could nonetheless become a reality here in Indian educational organisations and business companies, where an organization in India is being attacked on average 1742 times per week in the last 6 months, compared to 1167 attacks per organization globally and 70% of the malicious files in India were delivered via Email in the last 30 days, according to Check Point’s Threat Intelligence Report. The most impacted industries by attacks in the last six months is unsurprisingly the Education and Research sector with 3,861 weekly attacks in India versus 2,230 weekly attacks globally.

In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how legitimate college student email accounts are being compromised, and then used to send out larger BEC and credential harvesting campaigns. 


In this attack, hackers are compromising student accounts to launch broader BEC and credential harvesting attacks. 

  • Vector: Email
  • Type: BEC, Credential Harvesting
  • Techniques: Account Takeover
  • Target: Any end-user

Email Example #1

This email is sent from a legitimate university account. The email uses standard social engineering to convey a sense of urgency–messages have been blocked, and the only way to release them is to click on this link. In this case, 11 emails are waiting to be reviewed. 

Email Example #2

When hovering over the “Release messages” button, the URL first points to a Buy Now, Pay Later service called Tabby. However, look a little further down the URL string, and you’ll see a redirect to a different site. That leads to a credential harvesting site.


We’ve seen a generous uptick in threat actors compromising student accounts, and then using them to send out BEC and credential harvesting messages. 

In this case, this same compromised account sent out numerous messages to a variety of organizations.

The university, based in Arizona, is not an Avanan customer, and it’s not clear how the compromise began.

Regardless, this represents an effective tactic by hackers. Compromising a student account can be done quite efficiently. From there, leveraging the legitimacy of that email account, it’s easy to send out multiple of the same messages to a variety of targets.

That makes this an effective way for hackers to send out a wide spectrum of messages with just one compromise. 

There are tells in the email, such as where the URL goes to and also the fact that a university account wouldn’t be used to send support messages.

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Always hover over URLs to ensure the destination is legitimate
  • Always look at sender address
  • If ever unsure about an email, ask IT

About the author:

 Manish Alshi is Head at Channels & Growth Technologies, India & SAARC