Compromised Educational Domain in India Used for Spam Delivery

I personally collect spam emails for security research. Recently, I received a suspicious email claiming to be from McAfee, sent from the email address of a school official in India (though I’m not sure whether it belonged to a teacher, a student, or someone else).

Sender Email Address

As you can see the screenshot above, this email appears to be sent via Google’s server, likely from a legitimate account associated with Google Workspace.

When I investigated the Google account associated with this email address using WhiteIntel, I found that it had been compromised as of 2024-11-24. Therefore, I can assume that this spam email was sent from Gmail by fraudulently using a legitimate Google Workspace account.

Cause of Compromise

I was curious as to why this Google account had been compromised, so I did a little research.

First of all, it seems that the official website of a certain high school in India, which appears to be related to the compromised account, now uses the ashokhall[.]org domain. This is inferred because the external link on the Wikipedia page is broken. I suspect that the DNS record may be outdated, or that an account under the old domain was never properly deleted.

When checking the archive of hxxps://ashokhall[.]net on WayBackMachine, I found that the site appeared to be the school’s official website as of January 2022. After that, most of the pages were blank, and by 2024, the domain showed a parking page (hxxps://ww7.ashokhall[.]net). This indicates that the domain has expired and is no longer used as an active website.

• 2022-01-28

• 2022-03-17

• 2024-01-11

And the website of the ashokhall[.]org domain has started keeping records since 2023.

Based on the relationship, I inferred that the ashokhall[.]net domain has been abandoned and is no longer maintained.

Furthermore, When I checked the history of its MX record using SecurityTrails, I found that aspmx.l.google.com was indeed set until 2022. That suggests that the domain was using Google Workspace up to that point.

On the Google login page, I entered the apparently compromised email address to check if the account was still active in Google Workspace. I was able to confirm that it still exists. If it didn’t, an error message like “This account does not exist” would have been displayed.

Unrelated Legitimate Company (probably)

Additionally, at the bottom of the email body, the domain of a legitimate IT company appears to be listed — likely in an attempt to mislead the recipient into thinking the email is related to that company.

The domain was not mentioned in the email body and after checking the company’s official website, I couldn’t find any information that corresponds to the email. Additionally, the phone number in the email does not match the one listed on the official site.

When I checked the website archives on WayBackMachine, I noticed that the content hadn’t changed at all since2018, which raised some concerns. However, the company appears to be legitimate based on active posts on its LinkedIn profile and business information listed on other websites.

By the way, based on my research, I couldn’t find any information that the ecotechglobal[.]in domain had been compromised.