We have received reports of an attack this morning that unfortunately succeeded in compromising at least one TCNJ account, which the attacker then utilized to send more emails and add a level of legitimacy to the appearance of the email. This is an unsolicited invitation email that, upon clicking the link contained within, will lead you to a site that prompts for user details such as name and email address. Once entered, a download link will appear. Based on your detected operating system, the appropriate installer will be downloaded and upon execution will install remote management tools and modify the devices firewall settings and auto runs to establish persistence. In the event the link was followed from a mobile device, a fake login page will appear to attempt to harvest credentials. The site also displays fake pop ups to make it appear other people are accepting the invitation and downloading the file. If you interacted with this site and downloaded anything, your machine needs to be cleaned and likely re-imaged.
In this instance, the sender email address did appear to be from TCNJ in some cases, but hovering over the link in the email shows the external URL destination and the .life extension of the site should indicate to many that this site is not likely legitimate. Also, calendar invitations should not require an installation to be accepted. Please remember to be vigilant when reviewing all emails and do not click on links in unsolicited emails. If you are unsure, please forward to us at phish@tcnj.edu. Thank you.
