Carnegie Mellon University
February 25, 2019

New CMU Phishing E-Mail is Double Trouble

A recent staff-wide phishing e-mail that had been circulating throughout the University contained two different ways malware could infect your system. The message looked like it was coming from school president Farnam Jahanian and requested that you follow the link to complete an Employee Engagement Survey. The e-mail also included a PDF attachment labeled “CMU Secured Document”. If the user were to click on the link, they would have been taken to a webpage with Microsoft Office software icons and a tab to download a PDF reader titled “important doc.pdf”. The author of this phishing e-mail was hoping to lure unsuspecting users to open the PDF attachment or click the link and download the PDF file as both were laced with malware.

What the hacker failed to realize is that the staff at CMU is too smart to fall for this phishing attempt. Dozens of reports were submitted to the ISO incident response team where the malicious link was quickly blocked, and the attachments were eradicated.

At first glance the e-mail looks like a legitimate Employee Engagement Survey request from the school president, but a much closer observation reveals red-flags which allowed our staff to quickly identify the phishing attempt and report the incident. Let’s look at some of the indicators below.


From: Farnam Jahanian
Sent: Tuesday, February 19
To: All Employees
Subject: CMU Employee Engagement Survey 2019 (February 19)


1. DearCMUStaffs,

On behalf of CMU and the entire leadership team, you are cordially invited to participate in the 2019 Employee Engagement Survey. 2.We have once again partnered with the consulting firm to administer the survey. It will only take about 5 minutes to complete and will provide valuable information on how well employees are engaged at CMU.

3.

Click here to take the survey

Image of link to Malware page as seen when hovering over the link

When completing the survey, please express your opinions frankly as the survey is completely confidential, and only aggregated data will be presented. However, please be aware that all written comments will be reported as stated.

4 Please complete your survey no later than February 20, 2019

Your participation in the survey is encouraged and will be greatly appreciated. Thank you in advance.

Sincerely,
Farnam Jahanian
President
Carnegie Mellon University (CMU)

Headshot of Farnam Jahanian


  1. “Staffs” is not grammatically correct. Phishing e-mails are often created by individuals of other countries where English is not the primary language.
  2. This sentence is ambiguous as it never identifies “the consulting firm” administering the survey.
  3. If you hovered your mouse cursor over the link, it was directing you to a non-secure helpnowas.org website. This is not a survey hosting site.
  4. This e-mail was sent to staff members on February 19, 2019 meaning that there was an urgency to complete the survey within 24 hours.