​​Business Email Compromise Campaign Targeting School Districts
The Scinary security operations team has been seeing a very large increase in organizations affected by a set of phishing emails. This attack often starts with another school district that got an email account compromised, aka a Business Email Compromise (BEC). This allows the attacker to abuse the trusted identity of another person/organization to add a lot of legitimacy to their phish.
Once the attacker logs into one of your users’ accounts, they go to the directory at contacts.google.com to pull a list of all organizational members. They then blast an email out to all contacts with a Google form to all students and teachers with a lure of a job scam promising an easy job that pays around $500. The form asks for information, such as name, address, and phone number. The attackers will then start sending text messages to ask for bank account information. Additionally, students and/or staff will have their Google Workspace password compromised by an attacker, especially those students or staff who do not have 2-step authentication configured. This leads to the perpetuation of this attack.
You can see an example of one of these phishing forms by clicking here.
As mentioned previously, this attack is effective due to the abuse of trusted identities. But when combined with the lack of malicious content and instead utilizing malicious intent: In other words, the threat actor is only using language to convince the receiver to take unwanted actions unknowingly; Paired with the use of legitimate services like Google Forms, Microsoft forms, DocuSign, or other form services, makes detection both from the user and basic filtering platforms exceedingly difficult. This pushes this attack from just effective to extremely effective.
However, there are some steps you can take to help mitigate and respond to these types of phishing attacks:
- Configure message quarantine for the subjects "Job Opportunity for Students", "Job for Students."
- Configure internal sending limits
- Disabling the directory listing for students (or staff and students)
- Enabling 2-step verification for staff
- Instructions on how to delete the message from inboxes using the investigate and quarantine tool
- We also wanted to mention that we offer some tools (Ironscales and Scinary Connect) that can help prevent the spread of those compromised accounts. Please let us know if you are interested, and we can provide you with some additional information.
Note: The following instructions are for Google Workspace. If you are utilizing Microsoft, these won’t apply to you. But we can still help, reach out, and we can provide customized support.
Configuring Sending Limits
Create a content compliance filter for the student OUs - This limits the To, CC, and BCC fields to 5 before quarantining the message.
- Go to Admin console → Apps → Google Workspace → Gmail → Compliance
- Select the Student OU
- Add a new "Content Compliance" filter, with the following regex:
^(To|Cc|Bcc):(.*?,){5,}.*$ - Action: Quarantine message
- Save
Configuring Survey Spam Filter & Message Quarantine
- Create content compliance filter:
- Go to Admin console → Apps → Google Workspace → Gmail → Compliance
- Select the appropriate OU then add a Content compliance rule
- Condition: Subject header matches
- Add subject phrases being used (examples):
- "job opportunity for students"
- "job for students"
- Action: Quarantine message
- Save
- Enable quarantine notifications so you will be notified if a message matches
- Go to Admin console → Apps → Google Workspace → Gmail → Manage quarantine
- Edit the Default quarantine
- Enable Quarantine notifications
- Configure recipient(s)
- Save
Disable Google Directory for Students (or Staff & Students)
- Admin console → Directory → Directory settings → Visibility settings
- Select the applicable OU(s)
- Set directory visibility to No users
- Save
Enforce 2-Step Verification for Staff
NOTE: We recommend testing this with a few users first
- Admin console → Security → Authentication → 2-step verification
- Select the Staff OU
- Set Allow users to turn on 2-step verification to On
- Set Enforcement to On
- Save
The users will be prompted to install and configure Google Authenticator on the next session
Delete Phishing Emails Using the Audit & Investigation Tool
(Requires Google Workspace for Education Plus)
- Admin console → Security → Investigation tool (This will not be visible if you don't have a Plus license)
- Choose Gmail log events (or Gmail messages, depending on interface)
- Create a search query that identifies the phishing message
- Select all matching messages
- Choose Delete all messages
