The university recently experienced a targeted spear phishing attack involving a phishing kit known as Gabagool. Cyber threats are increasing in sophistication, and phishing messages are becoming harder and harder to spot.
We’ve created a short animation to help raise awareness and help you detect malicious emails:
What happened?
A member of staff received a convincing email that appeared to come from a known academic contact. The email passed all standard security checks (SPF, DKIM, DMARC), and included a link to what looked like a billing report. Clicking the link led to a fake Microsoft login page hosted via Cloudflare’s R2 service — a tactic used to bypass traditional security filters.
The attacker harvested the user’s credentials and multi-factor authentication (MFA) token in real time. Fortunately, our internal monitoring flagged the suspicious login attempt, and the account was quickly secured. No data was accessed, and the incident was contained.
What is Gabagool?
Gabagool is a phishing kit that uses trusted platforms like Cloudflare to host malicious content. It’s designed to steal login credentials and MFA tokens, even from users who have taken basic precautions. This makes it especially dangerous for organisations like ours.
To help prevent future incidents:
- Be cautious of unexpected emails, even from familiar names. If something feels off, verify it through another channel.
- Avoid clicking links in emails unless you’re sure they’re legitimate.
- Never approve an MFA prompt you didn’t initiate.
- Use OneDrive or SharePoint to store files instead of your desktop or local drives.
- Don’t store passwords in your browser – use a reputable password manager instead.
This incident is a powerful reminder that cyberattacks can happen close to home. If you haven’t yet completed your essential cyber security training, now is the time to do so.
How to access the training:
- Visit the Metacompliance Dashboard directly: https://universityofstirling.metacompliance.com/
- Or open Teams and select the Metacompliance app from the left-hand side bar.
You should not need to log in and can begin the course immediately.
Cyber Hub
We’ll continue to publish re-enactment videos to support your understanding of current cyber threats. These, along with blogs and practical advice, are available in the Cyber Hub here: https://stir.sharepoint.com/sites/CyberSecurity
The Cyber Hub also includes blogs and information to aid you in keeping safe online.