UofM-Specific Phishing Campaign

While receiving phishing emails in my University inbox is a common occurrence, a recent email caught my eye due to its increased sophistication and University-specific information.

Email Contents

Dear Umich.edu WEBLOGIN Subscriber

To complete your Umich.edu WEBLOGIN account, you must reply to this email
immediately and enter your password here (*********)

Failure to do this will immediately render your email address
deactivated from our database.

You can also confirm your email address by logging into your
Umich.edu WEBLOGIN account at https://weblogin.umich.edu/

Thank you for using Umich.edu!

THE Umich.edu TEAM

At first, this email appears to be a standard phishing template where the email receipient's domain name is simply inserted in the appropriate places (eg. "Umich.edu"). These types of phishing email are very common and don't require any special intelligence about the target.

What caught my eye and makes this phishing email special is the URL listed in the email (https://weblogin.umich.edu/). This URL is the central SSO login for all University web services (powered by Cosign and is specific to the University of Michigan). This UofM-specific intelligence indicates a greater level of sophisication by the phishers. While this level of sophistication has been seen elsewhere in phishing attacks, this is the first time I've seen it targeting Univeristy of Michigan recipients. I'm curious as to whether this level of direct targetting involved manual intervention (eg. phisher manually sought out UofM-specific knowledge) or perhaps an automated approach (eg. automated Google search for "$university.edu login" and use the URL of the first result).