Communications Information

Cyber Attack: Friday 13 - 14 February 2025

Unfortunately, a member of Pangbourne staff was targeted in a highly focused and sophisticated cyber attack using the Evilginx Office 365 Token Capture exploit, late on Thursday 13 February and into the early hours of Friday 14 February. The email is confirmed as fraudulent and has the title, ‘Document from Pangbourne College’. It has the following appearance:

The links in the email direct you to a file sharing website, Scribehow. The links on this site spoof a Microsoft 365 and Google Drive log-in, It is these links that may be used to harvest log-in information..

Please do not open the email or click any links. You should delete it immediately. If you have opened or clicked any links and entered any personal information including a password, then you should take the following steps:

1. Where the same email address and password is used on other websites, you should change it as soon as possible. You should do this from another device, if you can. This is recommended in any case, especially if you use Microsoft 365 or Google Drive in a personal or business capacity, 
2. If you suspect a file has been downloaded without your knowledge, run a virus and anti-malware scan to see whether any malware has been installed. 
3. Review whether any personal information attached to an email signature or 'out-of-office' is necessary.

As far as we can tell, no personal information was captured or copied. However, a small number of records were modified. These have been restored from a back-up taken on 12 February.

What Steps Has Pangbourne Taken?

1. We notified anyone who may have been sent the email as soon as the issue was known.
2. We disabled the affected account so it was no longer possible for emails to be sent from it. 
3. We briefed all staff about the incident and reiterated best practice for internet security. 
4. We identified a further layer of security we could add to our key systems. This is being implemented over the course of w/c 17/02/2025 and w/c 24/02/2025. Scheduled completion is 26/02/2025 (majority completed by 19/02/2025).
5. We have notified the Information Commissioner's Office [ICO] and Action Fraud of the incident. The ICO are satisfied with our response and additional measures. No regulatory action is required.

Unfortunately, these attacks are increasingly common and schools are a common target. We take security extremely seriously and already have several safeguards in place to defend against cyber-attacks. Nevertheless, the cyber-criminal fraternity is relentless and we will continue to review our security to see if further measures could be taken.

In the meantime we urge all parents to be vigilant and to verify any emails they receive from any source are legitimate.

Webpage last updated 25/02/2025 14.30.