Dozens of universities are being hit with a coordinated cyber-attack that uses news of the Omicron variant as a lure to steal login credentials.

Evidence of the malicious phishing campaigns was dredged up from the murky depths of the cyber-criminal underworld by researchers at the cybersecurity firm Proofpoint.

The universities targeted are mostly based in North America and include the University of Central Missouri in Warrensburg, Missouri, and Vanderbilt University, a private research university in Nashville, Tennessee. 

Researchers found the phishing emails to be typically themed around testing information and the latest in the line of COVID-19 variants to be discovered. One email subject line used by the attackers was “Attention Required – Information Regarding COVID-19 Omicron Variant – November 29.”

“Proofpoint observed COVID-19 themes impacting education institutions throughout the pandemic, but consistent, targeted credential theft campaigns using such lures targeting universities began in October 2021,” noted researchers.

“Following the announcement of the new Omicron variant in late November, the threat actors began leveraging the new variant in credential theft campaigns.”

Inside the phishing emails are attachments or URLs for pages created to harvest credentials for university accounts. While some campaigns feature generic Office 365 login portals, others include landing pages designed to mimic the official login portal of the targeted university. 

To make their malicious emails harder to detect, threat actors behind the campaigns sometimes direct victims to a legitimate university communication after harvesting the credentials. 

Campaigns that rely on malicious attachments have leveraged legitimate but compromised WordPress websites to host credential-gathering web pages, including hfbcbiblestudy[.]org/demo1/includes/jah/[university]/auth[.]php and traveloaid[.]com/css/js/[university]/auth[.]php.

In some campaigns, threat actors spoofed multi-factor authentication (MFA) providers such as Duo to steal MFA credentials.

“Stealing MFA tokens enables the attacker to bypass the second layer of security designed to keep out threat actors who already know a victim’s username and password,” wrote researchers.

Recipients of the malicious emails may not be able to tell they are being targeted by cyber-criminals simply by looking at the sender’s address.

Researchers wrote: “While many messages are sent via spoofed senders, Proofpoint has observed threat actors leveraging legitimate, compromised university accounts to send COVID-19 themed threats.”