On May 26, 2025 at approximately 10:01pm EDT the following email was sent to members of the Dartmouth Community.
From: (Redacted Dartmouth User) <(Redacted Dartmouth User)@dartmouth.edu>
Sent: Monday, May 26, 2025 8:03 PM
Subject: Immediate Review Required — Contact Trace Advisory
Dear Professor
We are contacting you as part of an internal academic health compliance procedure following a recent case involving a member of the university community. Based on campus access records and academic scheduling overlaps, your name appeared in a Proximity Interaction Log connected to a Routine Contact Advisory issued earlier this week.
This does not indicate confirmed exposure, but it does require a brief verification of your recent academic activity. A secure interface has been prepared for your access:
🔒 Access Contact Advisory Review
[View Secure Faculty Timeline]
Due to privacy and compliance regulations, no further information can be shared outside the secure portal. Your discretion is essential. Please do not forward or disclose this message.
⏳ Time-sensitive: This review must be completed within 14 hours to remain compliant with faculty safety protocol.
This is a system-generated notice. For questions, use the internal support form inside the portal.
Thank you for your prompt attention.
Respectfully,
(Redacted Dartmouth User)
Dartmouth College
The phishing email was sent from an internal email address which instantly stood out to the Information Security team as an indication that more may be going on. They eventually found the users credentials as part of a known passwords list on the Internet. As a result the bad actor used those credentials to conduct MFA Bombing on the victim, eventually succeeding, this resulted in the phishing email being sent from within the Dartmouth account.
MFA Bombing is when a cybercriminal repeatedly sends MFA requests to a victim, hoping they will approve one out of frustration or confusion. From the user perspective MFA Bombing is called MFA Fatigue, the cybercriminal tries to fatigue the user into pressing accept to get the requests to stop.
The Dartmouth user received multiple DUO prompts, which they eventually accepted.
This email contains the following indications of a phishing attack:
- The email creates a sense of urgency that action must be taken immediately (in this case, Time-sensitive: This review must be completed within 14 hours to remain compliant with faculty safety protocol), a common tactic for phishing scams.
- The email content appears to be from a unnamed campus authority but is sent from a colleague.
- The email uses urgent language in an attempt to frighten the user into acting immediately (Based on campus access records and academic scheduling overlaps, your name appeared in a Proximity Interaction Log connected to a Routine Contact Advisory issued earlier this week)
If you receive an email similar to this one, it is recommended that you take the following actions:
- Do not click on any links
- Do not reply to the message
- Mark the message as spam or junk
- Forward the message to phishing@dartmouth.edu
- Block the sender