With MFA in place, compromised account issues plummet

Since the initial implementation of Microsoft Multi-Factor Authentication (MFA) for University email that began in October 2021, the number of compromised email accounts at Purdue has fallen significantly – from 1,200 in the month of September, to approximately 100 instances last month.  

Over the last several months, MFA has gradually been enabled for students, faculty, staff, and retirees at the West Lafayette, Northwest, and Fort Wayne campuses. This week, MFA was enacted globally on the email tenants for each campus, meaning 100 percent of new University email accounts using Office 365 will also be protected by two-factor authentication.  

“Purdue email is now more secure than it has ever been,” says Anthony Newman, Chief Information Security Officer for Purdue. “But users still need to remain vigilant against phishing and other attacks, because the threats are always evolving.” 

Photo for

The number of compromised accounts have dropped significantly in the past eight months thanks to the adoption of Microsoft MFA.

One such threat is the rise in spear-phishing attacks, where the sender tries to impersonate a known person to get access to personal or sensitive information. In June, Purdue will start labeling email that comes from off-campus sources with a warning banner alerting the recipient that the email was sent from someone outside the University. Although the warning banner offers no protection itself, the goal is to alert the recipient to use caution before clicking on links, opening attachments, or sharing data.  

Also in June, ITaP will enact a geo-block for email accounts that do not use Office 365 and Microsoft Multi-Factor Authentication (MFA) and are sending email from outside the United States.  

Regardless of the steps that Purdue takes to heighten email security, Anthony says the best practice is for users to remain cyber aware when using email:    

  • Use a strong password or passphrase for all accounts and do not reuse passwords on multiple accounts. Use Micrsoft Multi-Factor Authentication to protect your account.  
  • Report phishing attempts. Suspicious emails to your Purdue account should be reported by forwarding the message to abuse@purdue.edu 
  • Change your password. If you ever are concerned that you might have shared your password, change it as soon as possible. ITaP also will send an email alert automatically to faculty and staff whenever there is a change to their career account or direct deposit banking information.  
  • Call for help. If you or someone you know has been a victim of this type of email attack, please contact the ITaP Customer Service Center at 765-494-4000 or by emailing itap@purdue.edu.   

 Last updated: May 10, 2022