Through a recent report by PIXM, a cybersecurity firm specialising in artificial intelligence solutions, public schools in the United States face a significant increase in sophisticated phishing campaigns. Threat actors are employing targeted spear phishing attacks, utilising stealthy patterns to target officials in large school districts, effectively bypassing Multi-Factor Authentication (MFA) protections.

Since December 2023, there has been a surge in MFA-based phishing campaigns targeting teachers, staff, and administrators across the US. The attackers, identified as the Tycoon and Storm-1575 threat groups, employ social engineering techniques and Adversary-in-the-Middle (AiTM) phishing to bypass MFA tokens and session cookies. They create custom login experiences and use services like dadsec and Phishing-as-a-Service (PhaaS) to compromise administrator email accounts and deliver ransomware.

The Tycoon Group's PhaaS, available on Telegram for just $120, boasts features like bypassing Microsoft's two-factor authentication. Meanwhile, Microsoft identifies Storm-1575 as a threat actor engaging in phishing campaigns through the Dadsec platform. The attacks involve phishing emails prompting officials to update passwords, leading them to encounter a Cloudflare Captcha and a spoofed Microsoft password page. If successful, attackers forward passwords to legitimate login pages, requesting two-factor authentication codes and bypassing MFA protections.

The attacks commonly target officials such as the Chief of Human Capital, finance, and payroll administrators. Some attempts involve altering Windows registry keys, potentially infecting machines with malicious scripts. The attackers conceal their tracks using stealth tactics, hiding behind Cloudflare infrastructure and creating new domains.

Despite using CAPTCHAs in phishing attacks providing a sense of legitimacy to end-users, there's potential for malicious trojan activity, including modifying Windows registry keys and injecting malicious files. These attacks can result in malware installation, ransomware, and data exfiltration.

Schools are the most targeted industry by ransomware gangs, with student data being a prominent prey of cybercrime. A concerning trend shows unprecedented data loss, with over 900 schools targeted in MOVEit-linked cyber attacks. Recent data leaks, such as the one involving Raptor Technologies, have exposed sensitive records belonging to students, parents, and staff, raising concerns about student privacy and school safety.

To protect against these phishing attacks, organisations are advised to identify high-priority staff, invest in tailored awareness efforts, caution users against suspicious links, and implement proactive AI-driven protections at the browser and email layers.

To take a sharp look at things, the surge in phishing attacks targeting US schools states the significance of cybersecurity measures and the need for increased awareness within educational institutions to safeguard sensitive information and ensure the privacy and safety of students and staff.