Passer au contenu principal
Abnormal Intelligence

Credential Phishing

University Credential Phishing Attack Leverages Compromised Domain and No-Code Platform

A phishing attack uses a compromised account to send university emails linking to credential harvesting forms hosted on the legitimate no-code platform Jodoo.com.

June 6, 2025

Attack Overview

Step 1: Compromised Account Sends University Email

The attacker uses a compromised account to send phishing emails targeting members of an educational institution.

Attack Library Repo 24 29 3 Jun Image 1
  • Email originates from a domain that passes sender authentication checks (SPF, DKIM, DMARC all pass).
  • Message is disguised as a legitimate university notice referencing the recipient's department by name.
  • Email uses plain text content and appears routine to avoid detection.

Step 2: Simple Link Directs to No-Code Platform

The email contains a basic hyperlink that leads victims to a phishing form hosted on a legitimate platform.

Attack Library Repo 24 29 3 Jun Image 2
  • Phishing form is hosted on Jodoo[.]com, a legitimate no-code platform often used for internal tools.
  • Form requests usernames and passwords under the guise of university verification.
  • Platform choice helps evade link reputation checks due to its legitimate status.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for several reasons, including:

  • Email originates from a compromised account with a verified source that passes all authentication checks.
  • Message content relies on plain text and simple hyperlinks that appear benign to content filters.
  • Phishing form is hosted on Jodoo[.]com, a legitimate no-code platform that evades link reputation checks.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including:

  • Behavioral AI flagging never-before-seen senders and unusual email content patterns as anomalies.
  • Content analysis recognizing urgency and financial implications as indicators of suspicious intent.
  • Natural language processing understanding the email's context and detecting off-pattern behavior despite benign appearance.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Classification

Credential PhishingLink-basedInternal SystemCredential Theft

Stop these attacks at your organization

See how Abnormal's behavioral AI detects the threats this digest covers — before they reach inboxes.

Request a Demo