Back to All Attack Library
University Credential Phishing Attack Leverages Compromised Domain and No-Code Platform
A phishing attack uses a compromised account to send university emails linking to credential harvesting forms hosted on the legitimate no-code platform Jodoo.com.
Attack Overview
Step 1: Compromised Account Sends University Email
The attacker uses a compromised account to send phishing emails targeting members of an educational institution.
- Email originates from a domain that passes sender authentication checks (SPF, DKIM, DMARC all pass).
- Message is disguised as a legitimate university notice referencing the recipient's department by name.
- Email uses plain text content and appears routine to avoid detection.
Step 2: Simple Link Directs to No-Code Platform
The email contains a basic hyperlink that leads victims to a phishing form hosted on a legitimate platform.
- Phishing form is hosted on Jodoo[.]com, a legitimate no-code platform often used for internal tools.
- Form requests usernames and passwords under the guise of university verification.
- Platform choice helps evade link reputation checks due to its legitimate status.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- Email originates from a compromised account with a verified source that passes all authentication checks.
- Message content relies on plain text and simple hyperlinks that appear benign to content filters.
- Phishing form is hosted on Jodoo[.]com, a legitimate no-code platform that evades link reputation checks.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Behavioral AI flagging never-before-seen senders and unusual email content patterns as anomalies.
- Content analysis recognizing urgency and financial implications as indicators of suspicious intent.
- Natural language processing understanding the email's context and detecting off-pattern behavior despite benign appearance.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.