The University of Pennsylvania was the site of a social engineering attack: offenders utilized compromised email addresses to send malicious bulk messages to students, staff, alumni, and other community members and threatened to publicly post sensitive material unless their conditions were fulfilled. The COVID-19 messages, delivered from the Graduate School of Education and senior functionaries’ email addresses, encouraged recipients to send money and warned that “institutional data will start flowing,” signaling an extortion campaign. FERPA and state legislation would require an investigation if the criminals could have obtained student records, donor datasets, recruiting data, or any clinical or research data on patients.
Hundreds of known victims reported receiving multiple instances of the same inflammatory email from various addresses, a strong indicator that the campaign was credential-theft–centered rather than spoofing-based. The university has determined that the communications were falsified and do not represent its views. It has taken containment procedures and begun inquiries, informing pertinent authorities. Questions remain as to whether the offenders quietly took control of mailboxes and sent masses of emails or accessed systems for recordkeeping of sensitive files.
Refusing to publish evidence or merely alleging a future leak is a prevalent, underhanded modus operandi; there’s usually more to come if the offenders exfiltrate the files. Compromising email mailboxes reveals, in itself, address books, email correspondence, and internal distribution lists that can be useful for lateral phishing and social engineering. Gain control over your enrollment information systems, donations database, or recruiting records—and the odds and stakes go up. This breach could trigger obligations under FERPA, state breach-notification legislation, and, if patient-specific clinical or research participant data were involved, HIPAA. System seizure or ransomware was unspecified.
How the attack likely worked
Universities can presume that credential theft occurred because of the mass emails, the rapid access to seemingly genuine accounts, and the bulk sending of messages. Such confidence is driven by email sent from the attacker-controlled accounts, mailbox rule manipulation to bury security notifications, and bulk-sending to campus lists to push the incident toward a larger blast radius. Verizon’s 2024 Data Breach Investigations Report indicates that 68% of breaches involve a human element, with phishing and stolen credentials outweighing commonly exploited vulnerabilities. This is how attackers are breaking into students’ mailboxes.
Why higher education keeps getting targeted
Universities are frequently attacked because they operate too many identities, maintain legacy systems, and support open collaboration. Filtering and responding to incidents such as this one becomes difficult as universities enable public access and academic freedom for thousands of accounts across cloud suites, lab networks, and third-party platforms.
Recent incidents highlight mounting pressure
Recent incidents underscore the pressure: a 2023 cyber incident caused the University of Michigan to shut down its most important systems; the MOVEit supply-chain attack affected Johns Hopkins and the University System of Georgia; and several campuses worldwide were threatened with data drops unless victims paid or negotiated. Security vendors such as Sophos and Emsisoft have frequently reported education as the most targeted sector for ransomware attacks and data theft. Donor and alumni data are also valuable. It is suspected that the attackers’ goals were to disrupt giving and sustain a broader pattern of politically or ideologically oriented attacks that include harassment, character assassination, and financial extortion.
Immediate steps to be taken by UPenn
Containment usually requires a combination of account controls and email hardening, along with investigation and coordination with authorities:
- Force password resets, enforce multi-factor authentication, and revoke suspicious sessions, keys, and OAuth consents.
- Prohibit legacy protocols like IMAP/POP where possible and restrict forwarding to outside domains.
- Filter and throttle mass-sending behavior and anomalous activity.
- Strengthen DMARC, discourage abuse of shared mailboxes, and segregate high-risk distribution lists.
- Assess sign-in pages, audit logs, and potential data exfiltration to determine what was removed.
- Coordinate with law enforcement, CISA, and industry ISACs to detect overlaps with established threat groups.
- Communicate clearly with students, alumni, and employees throughout the response.
What students, alumni, and employees should do
- Treat unexpected university emails with caution—especially about donations, password resets, or account confirmations—and verify via official portals rather than clicking embedded links.
- Enable multi-factor authentication everywhere, use a password manager to avoid reuse, and review recent account activity for unfamiliar logins or forwarding rules.
- Monitor financial accounts and consider credit alerts if advised by the university.
- Report suspicious messages to campus IT security so filters and incident response teams can adapt quickly.
The bigger picture
Even if this attack is limited to mailbox abuse, it illustrates how a few stolen credentials can turn into disruption, reputational damage, and possible data exposure. For universities, the message is simple: maintain robust identity controls, harden email ecosystems, and reach out early and often when adversaries attempt to broadcast their message from your campus inbox.