Security Alert: Dangerous phishing emails targeting UC Santa Cruz

In recent weeks, online attackers have successfully targeted UC Santa Cruz employees and students with a sophisticated email phishing campaign, compromising more than 300 user accounts so far.

Information Technology Services (ITS) is doing everything we can to intercept and prevent these attacks but anticipate that this style of phishing campaign will continue and may even increase given how effective it has been at gaining access to user accounts.

This security alert includes:

• Why this phishing attack is particularly dangerous
• What the phishing emails look like
• How this phishing campaign works
• How to spot a phishing email
• How to protect yourself from phishing
• Learn more and get support

Why this phishing attack is particularly dangerous

• Realistic login flow: Users don’t suspect anything is wrong since they see a real UC Santa Cruz Duo push and approve it. Then, attackers get full access to a user’s account, including email, UCPath, and other sensitive information.
• Bypass Multi-factor Authentication (Duo): If a user has “remember my device” enabled, it gives the attacker ongoing access without having to re-authenticate via Duo.
• Email access enables broader compromise: Attackers can use a compromised email to send more phishing attacks from what appears to be a trusted account.
• Lost time: In addition, ITS may need to lock or reset your account, which can disrupt your work or academic activities.

What the phishing emails look like

The recent emails often have a subject line that seems official and important, such as “Notice concerning your UCSC” or “Important announcement regarding your UCSC”. The emails include a request to log in and do something in your account. See the screenshot below for an example of what one of these messages looks like. 

Sample email

How this phishing attack works

Attackers are using a multi-stage phishing method that tricks users into handing over their UC Santa Cruz credentials, passing Duo MFA approval, and ultimately allowing unauthorized access to campus systems and personal information.

Here’s a breakdown of the attack flow:

1. Phishing email

• The user receives an email from a compromised UCSC address.
• The email includes a link that appears to point to a UCSC resource but actually redirects to a malicious Google Sites page.

2. Redirect page on Google Sites

• The Google Site is nearly blank
• It includes only a message and a hyperlink: “If you are not redirected, please click here to continue” 
• Clicking the link forwards the user to a malicious web page that looks identical to UCSC’s login page

3. Credential harvesting and proxying

• The user enters their UCSC credentials on the fake page
• The attacker captures the user’s credentials and proxies the login attempt to the real UCSC Identity Provider (IdP)

4. Duo MFA prompt

• The UCSC Identity Provider (IdP) prompts a multi-factor authentication push via Duo
• The user, thinking the login is legitimate, approves the Duo request on their mobile device
• In some cases, the attacker is able to prompt for additional factors, and users may also approve these

5. Session hijacking

• Once the Duo MFA push is accepted, the attacker is fully authenticated
• A blank page is shown giving the illusion the session failed or closed, so a user moves on unaware
• Meanwhile, the attacker:
  • Uses the valid SSO session to access the user’s email or other applications
  • Takes advantage of the Duo “remembered device” session to avoid MFA prompts in future logins

6. Continued exploitation

• The attacker accesses the user’s email account
• From there, they launch additional phishing attacks to harvest more UCSC accounts and credentials

How to spot a phishing email

Indicator	Description
Email address	An unusual or unrecognizable email address is often a signal of a phishing attempt but, in this case, the email address might look familiar
Generic subject line	The subject line may be vague and/or urgent. We’ve seen the following with this attack: – Notice concerning your UCSC – Important announcement regarding your UCSC – Notice on your UCSC – Significant information about your UCSC
Suspicious link	Displays something that looks like a UCSC link and destination, but actually redirects to a malicious Google Sites location
Generic language	No personalization or specific details
Urgency and action	Pushes the recipient to act quickly without context

How to protect yourself from phishing

1. Always check links before clicking

• Hover over any link before clicking to see where it goes
• Legitimate UCSC links will use URLs ending in .ucsc.edu (e.g., login.ucsc.edu)
• Be suspicious of links that go through Google Sites, bit.ly, or other URL shorteners

2. Think before you tap “Approve” in Duo

• If you weren’t actively logging in when you received a Duo Push, don’t approve it
• A random Duo prompt can mean someone else is trying to access your account
• Always check the location shown in the Duo notification: if the login appears to come from a city or region you’re not in, it’s a red flag
• Select “Deny” to report the attempt

3. Don’t enter credentials on suspicious pages

• Even if a page looks like the UCSC login, check the address bar
• If the URL is strange, unexpected, or doesn’t belong to UCSC, close the page

4. Report phishing immediately

• Forward suspicious emails to phishing@ucsc.edu, which alerts both the Information Security team and the ITS Service Desk, ensuring coordinated and timely response
• If you believe you are a victim of a phishing attempt, contact the ITS Service Desk

Learn more

Refresh your cybersecurity knowledge: Cybersecurity for Employees and Cybersecurity for Students