Learn how to recognize spear phishing attacks targeting NCU faculty and staff — including targeted emails that mimic internal NCU communications, fake Microsoft login pages designed to steal your credentials, and how attackers use AI to make these messages nearly indistinguishable from the real thing.
How these attacks work
Spear phishing is targeted phishing. Unlike mass phishing campaigns that blast generic messages to thousands of people, spear phishing attacks are researched and customized for a specific person or department. The attacker knows your name, your role, and enough about NCU's internal systems to make their message look like it belongs in your inbox.
The goal is almost always your Microsoft credentials. Once an attacker has your username, password, and MFA code, they have access to your email, OneDrive, Teams, and any connected systems. A compromised faculty or staff account is then used to attack others — launching new phishing campaigns from a trusted internal address.
The attack typically follows a two-step pattern: a convincing email creates urgency around a payroll issue, HR update, or IT security alert, then directs you to a fake login page that looks identical to Microsoft's sign-in screen. Everything you type on that page goes directly to the attacker.
AI has made spear phishing faster, cheaper, and far more convincing
Spear phishing used to require significant manual effort — researching a target, crafting a believable message, building a fake site. AI has reduced that effort to near zero while making every component more effective:
- AI writes email in NCU's voice. By feeding AI tools samples of real NCU communications — from public sources, prior breaches, or scraped web content — attackers generate emails that match the tone, formatting, and language patterns of legitimate internal messages. The result doesn't just look plausible; it reads like something IT or HR would actually send.
- AI clones login pages in minutes. Fake Microsoft login pages used to require technical skill to build. AI-assisted site-cloning tools now replicate a real login page — logo, layout, fonts, error messages — in minutes. The fake page is often indistinguishable from the real one except for the URL in the address bar.
- AI personalizes at scale. Attackers no longer have to choose between volume and precision. AI can generate hundreds of individually tailored messages — each using the recipient's actual name, department, and role — simultaneously. Everyone gets a message that feels written specifically for them.
- AI-assisted attacks adapt to responses. If you reply with a question or express doubt, an AI-assisted attacker can generate a convincing follow-up in seconds — maintaining the persona, addressing your concern, and keeping you engaged long enough to act.
- MFA is no longer the safety net it was. Modern credential-harvesting pages capture your MFA code in real time and replay it to the real Microsoft login before it expires — a technique called adversary-in-the-middle (AiTM). Entering your MFA code on a fake page gives the attacker full access even with MFA enabled.
The defense isn't trying to identify a perfect-looking fake — it's refusing to reach login pages through email links, full stop. Type the URL yourself, every time.
Red flags to watch for
Red flags in the email
- Unexpected alert about payroll, benefits, password expiration, or a security issue
- Sender address doesn't exactly match @northcentral.edu — look for subtle changes like
northcentra1.edu or extra words
- Link URL doesn't match the NCU domain when you hover over it
- Pressure to act before a deadline — "your access will be suspended"
- Arrived unexpectedly with no prior context or communication
Red flags on the login page
- The browser address bar shows anything other than login.microsoftonline.com or northcentral.edu
- The page asks for your password and MFA code in a single flow — legitimate Microsoft login separates these steps
- No padlock / HTTPS in the browser bar
- You got to the page by clicking a link in an email, not by navigating there yourself
What these messages look like
These are representative examples based on attacks reported at NCU and peer institutions.
Payroll redirect attack
"Action required: NCU Payroll has updated its direct deposit portal. All employees must verify their banking information by Friday or payment may be delayed. Click here to log in and confirm your account details."
Why it works: Payroll anxiety is universal. The Friday deadline creates urgency. The link goes to a fake Microsoft login — credentials are captured before the page shows an error.
IT security alert attack
"We detected an unusual sign-in attempt on your NCU account from an unrecognized device. If this wasn't you, click below to secure your account immediately. Your account will be locked in 24 hours if no action is taken."
Why it works: Fear of being hacked makes people act fast. The irony is that clicking the link is itself the attack. The fake security alert is the threat.
Completing the fake login doesn't always trigger an obvious error
Some credential-harvesting pages pass your login through to the real Microsoft site after capturing it — so you end up legitimately signed in and have no reason to suspect anything happened. By the time you notice unusual account activity, the attacker may have been in your account for days.
NCU hard rules
These are absolute — no exceptions.
If any of these apply, do not proceed
- Never click links in unexpected emails to reach a login page. Always navigate to NCU systems directly by typing the URL — portal.office.com, my.northcentral.edu, etc.
- IT will never email you asking you to verify your password or re-enter your credentials. If you receive this, it is a phishing attempt.
- Check the address bar before entering any credentials. If it doesn't show login.microsoftonline.com or a verified northcentral.edu domain, close the tab immediately.
- Approving an unexpected MFA prompt is the same as giving an attacker your password. If you receive a push notification or code request you didn't initiate, deny it and contact IT immediately.
- HR and Payroll communicate changes through official channels with advance notice — not urgent same-day emails demanding immediate login.
What to do
I received a suspicious email
- Do not click any links or open attachments.
- If it references a real NCU system (payroll, IT, HR), navigate to that system directly — not through the email.
- Forward to IT: incident@northcentral.edu
Full reporting steps: Reporting a Phishing Scam or Suspicious Email