Posted on February 13,2020
【Action Required】Alert to malicious email spoofing Kyushu University(【要確認】九州大学を装った脅威メールについて)

Around the 11th of February, the following malicious email messages spoofing Kyushu University were sent to most of the members of Kyushu University. The fake sign-in page linked from this email exactly imitated the real Office 365 sign-in page, including images, of the university, and so had a high risk of being deceived.

A screenshot of the malicious email message (HTML version)

If you think you may have accessed the fake page, immediately change your SSO-KID password and contact Kyudai CSIRT (sec-incident@iii.kyushu-u.ac.jp). If your SSO-KID and its password are stolen, many information services, including Office 365, can be abused. It leads to critical risks like personal information leaks.

Detailed descriptions of the malicious email message are as follows:

  • Sender: KYUSHU UNIVERSITY <xxxxx[at]keble.ox.ac[.]uk>
    (Some parts of the email address are obscured to prevent inadvertent access)
    • Note that the domain of the email address is not "kyushu-u.ac.jp".
    • Observed sender domains include keble.ox.ac[.]uk, sant.ox.ac[.]uk, and dell[.]com. Other domains might be used to send similar messages.
  • Subject: “1 Important message” or “You have 1 Important message”
  • The message body contains “Login to View” which is a link leading to the following domains (not belong to Kyushu University).
    • https://ada[.]ydodev[.]com/kyushu-u.ac.jp/kyushu-u.ac.jp/
    • https://o365wapiiikyushu-u-ac-jp[.]azurewebsites[.]net/o365wap/index.php
  • The correct URL of the Kyushu University Office 365 sign-in page is "https://o365wap.iii.kyushu-u.ac.jp/".
  • The linked page contained a logo image and photo of Kyushu University as shown below, but it is a fake page that completely copied the Kyushu University Office 365 sign-in page. The appearance of the page is indistinguishable.

Go Back