An increased number of phishing emails are currently being sent to members of the University of Münster.
These emails pretend to be from the "IT Servicedesk" or "IT Support" with varying sender addresses, including some that appear to be legitimate University of Münster email addresses. So far, the following subjects have been observed:
An increased number of phishing emails are currently being sent to members of the University of Münster.
The emails have German subjects like "uni-muenster Ticket#1620215544 Postfachspeicher voll Wednesday, October 1, 2025" and pretend to be sent from the mail system of the University of Muenster. They have been sent from external addresses though. The emails claim that the mailbox storage is full. However, these are just false pretenses to lure recipients into visiting an external website controlled by the attackers, which steals entered login credentials.
An increased number of phishing emails are currently being sent to members of the University of Münster.
The emails have the German subject "Grüße an Studierende und Mitarbeiter!" and pretend to be sent from the "IT-Helpdesk" of the University of Muenster. They have been sent from external addresses though. The emails claim that a migration of the Outlook mailbox is necessary. However, these are just false pretenses to lure recipients into visiting an external website controlled by the attackers, which steals entered login credentials.
An increased number of phishing emails are currently being sent to members of the University of Münster.
The emails have subjects like "Re: IKT-Dienst-Update" and pretend to be sent from the "IT-Helpdesk" of the University of Muenster. The emails claim that a review of the Outlook mailbox is necessary. However, these are just false pretenses to lure recipients into visiting an external website controlled by the attackers, which steals entered login credentials.
An increased number of scam emails are currently being sent to many members of the University of Münster.
In the emails, the attackers pose as managers or supervisors and ask for assistance with an "important task." The sender's name uses the name of the supervising person, but the emails originate from an external, mostly russian address. Currently, the subject "Are you on campus now?" is used. Names and email addresses of employees and supervisors are taken from the public websites of the University of Münster. If one responds to these contact attempts, the purchase of gift or prepaid cards is requested, followed by sending the codes via email.
An increased number of phishing emails are currently being sent to many members of the University of Münster.
The emails have subjects like "Outlook Admin Team!", "AW: IKT-Servicedesk" or "(own email address)
An increased number of scam emails are currently being sent to many members of the University of Münster.
In the emails, the attackers pose as managers or supervisors and ask for assistance with an "important task." The sender's name uses the name of the supervising person, but the emails originate from an external, mostly russian address. Currently, the subject "Are you on campus now?" is used. Names and email addresses of employees and supervisors are taken from the public websites of the University of Münster. If one responds to these contact attempts, the purchase of gift or prepaid cards is requested, followed by sending the codes via email.
An increased number of phishing emails are currently being sent to many members of the University of Münster.
The emails have have the German subject "IT-Helpdesk!!" or "IT-Servicedesk-Support" and have been sent from an external address. The emails claim that an update or migration of the Outlook mailbox is necessary. However, these are just false pretenses to lure recipients into visiting an external website controlled by the attackers, which steals entered login credentials.
An increased number of scam emails are currently being sent to many members of the University of Münster.
In the emails, the attackers pose as managers or supervisors and ask for assistance with an "important task." The sender's name uses the name of the supervising person, but the emails originate from an external address (often a generic Gmail address). Currently, the names of the recipients are used as the subject.
An increased number of phishing emails are currently being sent to many members of the University of Münster.
The emails have the subject 'Sicherheitsbenachrichtigung:' followed by your username and claim that a notification regarding task evaluation needs to be viewed. The sender is spoofed as 'it-uni-muenster.de'. This is just a ruse to lure recipients into visiting the malicious website. The included link directs users to an external webpage that convincingly mimics the University of Münster's login page. Any entered login credentials are then forwarded to the attackers.
Click here for the full note
An increased amount of phishing e-mails is currently being sent to many members of the University of Münster.
The emails have the subject “1 neue Termin-Nachricht” or “Action Required” and pretend to be an invitation to an appointment. They contain a link to an external website on which the University of Münster's login page has been replicated. The emails come from external senders, some of them from other universities.
Click here for the full note
An increased amount of phishing e-mails is currently being sent to many members of the University of Münster.
The emails have the subject "E-Mail-Zustellung fehlgeschlagen - (1)" and claim that emails were returned to the sender due to a synchronization error and that these messages now need to be retrieved manually. This is just a false pretext to trick recipients into revealing their login details on an external website that mimics a generic webmail interface. The emails were sent from an external address
Click here for the full note
An increased amount of phishing e-mails is currently being sent to many members of the University of Münster.
The emails have the subject line "Wichtige Personalanpassung" and claim that there have been staff adjustments that need to be verified. This is just a false pretext to trick recipients into revealing their login details on an external website that mimics the Outlook interface. The emails were sent from an external address but pretend to be from an internal sender.
Click here for the full note
An increased amount of phishing e-mails is currently being sent to many members of the University of Münster.
The emails have the subject "Wichtiger Hinweis: Migration auf Outlook Webmail 2024" and claim that a migration to a new version of "Outlook Webmail" requires a registration. This is merely a false pretext to entice recipients to disclose their credentials on an external website. The emails were sent from an external sender address named "Nurefşan Fedakar".
Click here for the full note
An increased amount of phishing e-mails is currently being sent to many members of the University of Münster.
The emails have the subject "Benachrichtigung aus Microsoft Outlook" and claim that a "termination" of the email mailbox is imminent and a "verification" is necessary to prevent this. This is merely a false pretext to entice recipients to disclose their credentials on an external website. The emails were sent from an external sender address named "Iwona Chmura-Rutkowska".
Click here for the full note
An increased amount of phishing e-mails is currently being sent to many members of the University of Münster.
The emails have the subject "Re: Bestätigung oder Stornierung" and claim that the storage space for one's own mailbox has been surpassed and actions are necessary. This is just a false pretext to entice recipients to reveal their access data on an external website. The emails were sent from multiple different sender addresses from the University of Bonn. Legitimate notifications about full storage space via email do not exist.
Click here for the full note
An increased amount of phishing e-mails is currently being sent to many members of the University of Münster.
The emails have the subject "E-Mail-Speicherlimit überschritten" and claim that the storage space for one's own mailbox has been surpassed and actions are necessary. This is just a false pretext to entice recipients to reveal their access data on an external website. The emails were sent from various sender addresses, including from internal email addresses. Legitimate notifications about full storage space via email do not exist.
Click here for the full note
A number of apps and programs are not permitted to retrieve emails from the University Münster mailboxes (both via Exchange and IMAP or POP).
The list currently includes the following applications:
An increased amount of phishing e-mails is currently being sent to many members of the University of Münster.
The e-mails have the German subject "Re: Lohn- und Gehaltsabrechnung für Mitarbeiter" or "RE: ICT Support." and claim that an update or confirmation is necessary for the email service. The emails have been sent out from external email addresses under different names without any relation to the University of Muenster. The link leads to an external website that is under the control of the attackers and forwards the login data to the originator. It mimics the appearance of the Outlook Web app.
An increased amount of phishing e-mails is currently being sent to many members of the University of Münster.
The e-mails have the subject "Dringend: Aktualisierung Ihrer E-Mail-Informationen erforderlich", "Eilige Maßnahme erforderlich: Aktualisieren Sie Ihre E-Mail-Informationen" or "AW: Achtung Mitarbeiter und Angestellte," and claim that an update is necessary for the email service. The emails have been sent out from external email addresses with different names, e. g. "uni-muenster". The link leads to an external website that is under the control of the attackers and forwards the login data to the originator. The real login website of the University of Münster was recreated in every detail.
An increased amount of phishing e-mails is currently being sent to many members of the University of Münster.
The e-mails have the subject "Unser System hat am 11. Juni 2024 fünf fehlgeschlagene eingehende Nachrichten erkannt" and claim that some messages could not be delivered due to an error and therefore a "recovery" is necessary. The sender is pretended to be “IT_Support@uni-muenster.de” with an internal sender address. However, the link leads to an external website that is under the control of the attackers and forwards the login data to the originator. The real login website of the University of Münster was recreated in every detail.
An increased amount of phishing e-mails is currently being sent to many members of the University of Münster.
The observed e-mails have the subject "Re: Routineanwendung für Lohn- und Gehaltsabrechnungen" and come from an external address, mostly with the name "Awais Ahmed/Sales/Islamabad". Users are requested to check their salary payout ("Verdienstabrechnung") but are instead forwarded to an external website which is controlled by the attackers to harvest their credentials.
An increased amount of phishing e-mails is currently being sent to many members of the University of Münster.
The e-mails have the subject "Sie haben zwei wichtige Nachrichten von der Universität Münster erhalten, die nicht zugestellt werden konnten Aufgrund einer Systemstörung." and claim that some messages could not be delivered due to an error and therefore a "recovery" is necessary. The sender is pretended to be “UNIVERSITÄT MÜNSTER-KONTAKT” with an internal sender address. However, the link leads to an external website that is under the control of the attackers and forwards the login data to the originator. The real login website of the University of Münster was recreated in every detail.
An increased amount of phishing e-mails is currently being sent to many members of the University of Münster.
Those emails were sent from different external addresses and give the impression that the mailbox storage space is full and action is necessary. Different German titles could be observed, such as "Sie nutzen derzeit 100% Ihrer gesamten Speicherkapazität. Bitte geben Sie sofort Speicherplatz frei.", "Sie haben 100% Ihres Speicherplatzlimits erreicht. Es sind Maßnahmen erforderlich, um Probleme zu vermeiden." or "Bitte archivieren oder löschen Sie die Dateien. Ihre Dateien.". The emails contain links that redirect to a website that deceptively replicates the login interface of the University of Münster, but is controlled by criminals.
An increased amount of phishing e-mails is currently being sent to many members of the University of Münster.
The observed e-mails have the subject "Routine für die Lohn- und Gehaltsabrechnung der Mitarbeiter" and come from an external address, mostly with the name "Simon László". Users are requested to check their salary payout ("Verdienstabrechnung") but are instead forwarded to an external website which is controlled by the attackers to harvest their credentials.
An increased amount of phishing e-mails is currently being sent to many members of the University of Münster.
The phishing e-mails are sent with the subject "Bitte beachten Sie, dass Sie eine ausstehende Nachricht zu Ihrem Gehaltsabrechnungskalender für Februar haben" and use the fake sender "Helpdesk - University of Münster" with a sender address of the University of Düsseldorf. The content asks you to check supposed "messages" relating to payroll accounting and contains a link to an external website that is a deceptively genuine replica of the IT portal login page.
An increased amount of phishing e-mails is currently being sent to many members of the University of Münster.
The observed e-mails have the subject "Re: Routine für die Lohn- und Gehaltsabrechnung der Mitarbeiter" and pretend to be from a "Margarita Hernandez" from the "Abteilung für Lohn- und Gehaltsrechnung" (payroll/salary department). Users are requested to check their salary payout but are instead forwarded to an external website which is controlled by the attackers to harvest their credentials.
An increased amount of phishing e-mails is currently being sent to many members of the University of Münster.
The phishing e-mails are sent out with the subject "Die Universität Münster hat Ihnen einen wichtigen Bescheid geschickt" and use the fake sender "Die Universität Münster-Portal". Various sender addresses have been observed, some from other universities. The content requests the accessing of supposed "Bescheiden" and contains a link to an external website that deceptively imitates the IT portal login.
The new Outlook version will replace the pre-installed e-mail program in Windows in 2024, and later also the classic Outlook from the Office package. The new version synchronizes data with the Microsoft Cloud when using IMAP or POP (Exchange is not affected), which means that e-mail content and passwords are transmitted to Microsoft.
The Microsoft Outlook app for Android and iOS and the Edison Mail app (all platforms) are not permitted for accessing e-mails from university e-mail accounts (via Exchange, IMAP or POP). By using these apps, you are passing on information such as your passwords to third parties.
When setting up IMAP accounts with Microsoft Outlook for macOS with the option "Synchronize with Microsoft Cloud" enabled by default, passwords and e-mail content are forwarded to the Microsoft Cloud (see Heise). This means that sensitive data is no longer confidential, but is transmitted to Microsoft.
Several attempts of targeted scam via e-mail have been observed over the past few weeks. In those cases directors of different departments have been impersonated to send out e-mails with requests for assistance ("Are you available?").
Lately a rising amount of extortion attempts with spam e-mails has been sent to members of the University. The originators usually claim to have "hacked" into a person's computer or e-mail account and threaten to publish sensitive information, if their demands are not met. Often a payment of in a crypto currency like Bitcoin is requested. All those claims are mere pretences to urge the receiving personmto give into their demands.