Increase in Phishing Scams Utilizing Legitimate Services

1/31/2023 Update: There are now additional reported incidents in which Slack is one of the legitimate services being leveraged in phishing attacks.

--------------------------------------------------------

This message was originally sent to U-M IT leadership and the Security Community on 11/13/2023.

Summary

There has been an increase in phishing scams that utilize or imitate legitimate U-M services, such as Duo, DocuSign, and Slack. Please be aware of these ongoing scams and share this information with faculty, staff and students in your unit.

U-M students and employees have reported incidents of phishing that leverage legitimate services, such as Duo, Docusign, and Slack to lure them into providing a Duo passcode or accessing documents that link to fake login pages.

Problem

Threat actors are increasingly using legitimate services for malicious activities including to obtain login credentials, Duo passcodes, and other personal information.

Threats

Threat actors may obtain login credentials, Duo passcodes, and other personal information.

Affected Systems

Duo and secure document services such as DocuSign, Google, Office365, Adobe Creative Cloud, or Slack.

Action Items

How to Protect Yourself 

  • If you receive a Duo prompt that only gives you the option to use a passcode, report it.
  • If you receive a Duo push when you are not trying to log in, click “Deny” and report it as fraud in Duo.
  • If you receive a suspicious message, such as an unexpected document through a document service, report it.
  • Before entering your UMICH (Level-1) password on a web page, check the web address/URL. UMICH Single Sign On begins with https://weblogin.umich.edu/.
  • See the phishing alerts below for  more details about recognizing these types of scams.

Technical Details

Document and Messaging Services: Threat actors send phishing email from services used at U-M like DocuSign, Google, Office365, Adobe Creative Cloud, and Slack to lure you to a document with a link to a fake login page.

Duo: The Duo service is leveraged in two different ways to trick people into providing login information and/or Duo passcodes.

  • A threat actor uses a fake login page to capture a person’s login information. The fake login then leads to a fake Duo prompt, specifically asking for a passcode. If the person then enters a Duo passcode (or passcodes), they can be used, along with the stolen login information, to access accounts fraudulently.
  • An unexpected Duo push is sent to a person when they are not trying to log in. In this situation, a threat actor has used their stolen login information to log in to their account and is attempting to use Duo to complete the multi-factor authentication. If the person clicks “Approve”, the threat actor will be able to access their account. Pushes may occur repeatedly and persistently, trying to get the person to approve -- capitalizing on multi-factor authorization fatigue.

Information for Users

If You Get Caught

If you gave personal information in response to a phishing email or on a suspicious webpage, your account may be compromised.

Report Suspicious Email or Request

  • Google at U-M users can forward phishing email to [email protected]; include what Google calls the original message. Michigan Medicine Outlook/Exchange users can use a Report Phishing button. For details, see Report Phishing.
  • Report other suspicious requests or prompts by sending a description of your experience to [email protected].

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.