Carnegie Mellon University

Phishing Scam Warning

January 11, 2021

Spear Phishing Attack Targets CMU

On Saturday, January 9th the Carnegie Mellon University community was the target of a highly sophisticated spear phishing attack. The message appeared to be sent from with the subject message “ID 449189 – Account Irregular Activity Detected – “.

Spear phishing is a personalized phishing attack targeting a group of people. Attackers may disguise themselves as real organizations and include recognizable content within the message in order to make the phishing attack appear more legitimate.

This particular spear phishing attack contained a spoofed email address which portrayed the message as being sent from a legitimate university department. The message also utilized phishing tactics such as conveying a sense of urgency through threatening and pressing language, as well as included a call-to-action by directing recipients to “verify account information” including AndrewID passwords.

If users were to analyze the email headers, they would have noticed that the ‘reply-to’ for the email was being sent to a non-university email address. Luckily, the majority of CMU members who received the phish were able to identify the message as a phishing attempt and reported it to or through the report phish button - PhishAlarm.

Continue reading below to view the phishing message and email headers

Spear Phishing Campaign 

Subject: ID 449189 - Account Irregular Activity Detected

ITS Support Center - Carnegie Mellon University

This is an automated official communication from @CMU_IT Support Center in reference to the request below.

Our system has detected an irregular activity related to your @CMU ID credentials. As a precautionary measure, we will temporary block your account and we should be moving it to our protective backup server and we need your help to do this effectively otherwise you may lose your login information and data at the end of the Duo Account Migration & Quarantine clean-up process.

To continue gaining secure access to your CMU ID credentials, kindly verify the below requested information to enable us migrate your CMU ID credentials to a DUO 2-factor authentication Symantec Endpoint Protection Communication software and register it to a new SPAM filtering service which will improve your Firewall Email Security Overview and the ability to identify and block Spam/Phishing attempts automatically and other undesirable messages that flood our email system on a daily basis.

Click on the "reply" button and verify your CMU ID credentials;

Fill in your credentials as follow:

*Email ID:

NOTE: We will Permanently deactivate and delete your CMU ID credentials if you do not adhere to this notice immediately as part of our Inactive CMU ID credentials clean-up process to enable service upgrade efficiency.

 You can send additional information to this ticket by including "(ID449189)" in the subject line of any email sent to us or replying to this message. Not including this information in the subject will instead create a new ticket.

Thank You,

ITS Support
Office of Information Technology
Carnegie Mellon University


Email Headers

Subject: ID 449189 - Account Irregular Activity Detected --
Date: Sat, 9 Jan 2021 21:42:46 +0000
From: ITS Support <>

To learn more about real-world phishing attacks at Carnegie Mellon University visit the ISO's Phish Bowl.