Category: Cybersecurity Alerts

Clemson University users are experiencing an increase in a SharePoint-related cyberattack, like the email pictured below. In this scheme, cybercriminals have likely already compromised a legitimate user and are using the account’s SharePoint site to send a document share email to other users. Sharing files through this method can sometimes circumvent security tools, which could possibly detect these malicious files.

The shared file could be a Word document, a PDF or a similar type of file. The file can contain malware that would infect your computer if you opened it, or it may ask you to log in with your Clemson credentials before you can see the file. This would allow them to steal your login and password information.

To avoid this scam, you should do the following:

• Always use extra caution before opening any file sent to you, especially if you do not know the sender or if you are not expecting a file.
  
  
• Avoid opening an email attachment file if you see the External Sender banner on any email. Those emails are coming from someone outside of Clemson.
  
  
• Before logging in with your Clemson credentials, you should first verify that the URL has “clemson.edu” as the domain address.
  
  
• If you do receive an email that you are unsure about, please use the Report Phishing button in Outlook, and the CCIT Security Team will be happy to investigate it for you to determine if it is legitimate and safe to open.
  
  

To enhance digital security, Clemson Computing and Information Technology (CCIT) is enforcing password expiration for approximately 30,000 Clemson University accounts to help protect data and personal information. While this change will not impact all Clemson users, those who are impacted will receive instructions for the expiration and creation of a new password for their Clemson account. This effort is to strengthen security for accounts that were identified with vulnerable passwords. In the age of artificial intelligence and high performance computing, strong passwords are some of our best defenses against threats or bad actors. 

What to expect

• CCIT engineers will prompt password expiration for specific accounts on the morning of July 31, 2025. 
• The identified users will be emailed more detailed information about what to expect. 
• Users are required to create passwords that meet the new security requirements. 

If you need assistance during the password change process, please contact the CCIT Support Center. Those who are not identified in this round of expiration are also welcome to strengthen their passwords to the more secure passphrase format at any time. 

Clemson University faculty, staff and students using Microsoft Outlook for email can now use the generic Report button to report phishing or junk emails. Reporting an email through this method will still send your email to the Clemson Security Operations Center (CSOC) for review and investigation. The Security Shield Report button has been removed from Outlook to help streamline this process.

But if you need to provide additional information beyond just reporting an email, use the Report Phishing Service through the TigerHub system.

Please contact the CCIT Support Center if you have any questions.

Cybercriminals are leveraging the high interest in artificial intelligence (AI) tools as part of new targeted campaigns. These often appear as “free” AI tools or in false advertisements that link to sites impersonating an official AI site.

If downloaded, the fake AI tool will include a ransomware executable, which will encrypt files and demand payment to unlock the user’s content.

Here are some tips to help avoid falling for this scam:

• Only download from official websites. Always examine the URL carefully.
• Be suspicious of “free” tools or offers that seem too good to be true.
• Research a company or product first before downloading anything.
• Scan files with security tools before opening them.

If you need assistance with downloading AI tools, please contact your Clemson University IT Consultant.

Proofpoint has recently discovered a new attack vector that cybercriminals are using to compromise users’ computers. In this scheme, users are prompted with a notification pop-up on a webpage, in a Word document or when opening a PDF file, saying that there is a problem. And the notification will include a button saying something like “How to Fix” or “Auto-Fix”.

The fake instructions for how to “fix” the problem will typically ask the user to copy and paste some code into Windows PowerShell or the Run dialog box. Because this code is only being copied and pasted, most antivirus software will not have an opportunity to inspect and catch the malicious code. Once this code is run by the victim on their computer, it triggers the download of additional malware and other nefarious activities.

Clemson University users should exercise caution if presented with this error, and it is recommended to reach out to the area’s IT Consultant for assistance.

For additional details, please see the full article on the Proofpoint website.

A new vulnerability in Apple’s AirPlay has been uncovered by Oligo Security Research that could potentially allow bad actors to compromise devices such as your Mac laptop, AirPlay speakers and receivers, or even the CarPlay system in your automobile.

Because of this vulnerability, users could experience a denial of service, loss of sensitive information, or possibly distractions while driving in the form of unwanted sounds or images being displayed on your automobile console.

To help protect yourself against this vulnerability:

• Update any device that supports AirPlay to the latest version of the software available.
• Verify on your AirPlay device that the setting “Allow AirPlay for” is set to just “Current User.”
• Disable the AirPlay receiver on any device where it is not needed.

For additional information, please see the full article at:
https://www.oligo.security/blog/airborne

Clemson users are seeing an influx of QR Scam emails. In these emails, like the one below targeting employees referencing a Compensation Guide, the recipient is given a QR code to scan with their phone.

But if a user follows the link from the QR code, they are presented with a fake login page which will steal the user’s login and password account information. The cybercriminals are hoping that you will be less protected and have limited information by moving you to your phone.

Some of these fake QR code emails claim to be from Microsoft, while others are targeting students with fake job opportunities.

You should always check the sender’s email address before following any link or QR code. Any official email from Clemson will have a clemson.edu address.

If you receive a suspicious email with a QR Code, use the Report Phishing button in Outlook to have the Clemson Security Operations Center review and investigate the email for you.

Clemson users should be aware of another targeted phishing campaign. This one claims to be a University Supported Program and offers to help staff and students with financial support.

Below is an example of one of these types of emails.

Users are prompted to follow a link within the email, which takes them to a login page that asks them to enter their email address, username and password. They are hoping that you will enter your Clemson account information.

But this is actually a scam designed to steal users’ credentials. If you receive an email similar to this, you should report it using the Report Phishing button in Outlook or by forwarding it to phishing@clemson.edu.

Since ordering and receiving packages has become commonplace for most people, cybercriminals are trying to take advantage of this practice. One of the ways they do this is by sending you a package with an item from a common online retailer, like Amazon, that you never ordered.

This is also known as a Brushing Scam. But the new twist on this scam is that inside your package you will find a QR Code with instructions on how to return the item or to find out more details about the order. Because this item was something that you didn’t actually order, they are hoping that you will scan the QR code that is included in the package.

These QR codes typically take you to a phony website that may load malware on your phone, which could compromise your device, or even steal your information.

For any package return or to get more information about an order, a safer solution would be to go to the vendor’s website yourself by typing in the actual address, rather than trusting a QR coded link. Once you are on the actual vendor’s website, you can check for details on the order or how to legitimately return an item if needed.

But if this was not an item you ordered yourself, then you are not obligated to return it. And you can simply keep it or throw it away.

Here are some tips to help avoid falling for this scam:

• Preview the URL for any QR Code before doing anything
  When you scan a QR code with your phone’s camera, it will display the website URL from the QR code. You should look carefully at the URL to see if it matches the official website. And beware of any tricky or misleading letter substitutions in the URL, which may make it similar to the real website address.
• Never download a QR Code Scanning App
  You should only use your phone’s camera to scan a QR code. If you are prompted to download any other tool to view the QR Code, this could be another way that scammers can infect your phone with malware.
• If you follow the URL from the QR Code, look for any suspicious signs on the website
  Verify that the URL is an HTTPS address and not just an HTTP address. Look for things like low-resolution graphics, misspellings, grammar errors, or anything that looks out of place. Also, be extra cautious if the website asks for any personal information, account login and password data, or credit card information.

Users should beware of a current “Update your Browser” type scam. In this scam, cybercriminals will display a full-screen web page or pop-up window with a fake notification saying that your browser is out of date and needs to be updated. The phony page will also include a button to download the supposedly needed update.

If a user clicks on that link, they will actually install malware on their device that the cybercriminals can use to steal data or take control of that device.

When a legitimate web browser update is needed, this is typically done automatically when the browser is started. It is also important to remember to completely close and shut down your browser after each session, as well as reboot your computer on a regular basis. You can also verify if any browser updates are needed by checking the settings section in your browser.

Clemson users can contact the CCIT Support Center for additional help.