On February 22, a compromised email account sent phishing emails to several contacts at a New Jersey educational institution. These emails contained a Google Drive link and a message stating that their school’s principal requested all employees to view the attached document. The users who attempted to access the link and submitted their credentials had their accounts compromised by the threat actor. Once the accounts were compromised, the threat actor toggled an inbox rule for the compromised accounts to delete any inbound messages and mark them as read, which allowed them to obfuscate their activity. The compromised accounts were then used to email students, offering them part-time jobs as part of a financial scam.

The threat actor compromised staff accounts to gain access to send messages to student accounts, which are inaccessible to external email accounts. The students who clicked on these messages were forwarded to a Google Docs page containing a fake job application page. Once a student submitted their information to the page, the threat actor contacted the students through text messages to perpetuate the finance scam. School staff first discovered the attack when students reported the messages received from compromised accounts.