Cyber Threat Alert: Duo Bypass Attacks

Monday, July 17, 2023
By Information Security Team

This message was sent out to the campus community on July 17th, 2023 by Matthew Nappi, Chief Information Security Officer, Assistant Vice President Division of Information Technology

We have recently witnessed an increase in phishing attacks specifically targeting our university community, aimed at deceiving individuals into revealing their Duo two-factor codes sent via text message or approving unauthorized Duo mobile push requests. Many of these originate with the fake promise of a job offer or some other scam, and communication is then usually taken away from email and onto a text message.


It is crucial to remain vigilant and exercise caution in safeguarding your NetID, including your Duo authenticator. Protecting your personal information and university accounts is of utmost importance, and we urge you to adhere to the following guidelines to stay safe:


Deny and report unexpected Duo requests: Always be suspicious of any unexpected requests to provide your Duo code or approve a Duo mobile push request that you did not initiate yourself. If you are away from your device and receive Duo requests seemingly at random, deny them and report as fraudulent from the mobile application, you will be asked immediately after denial.


Be cautious of deceptive emails and text messages: Phishing attempts often include emails designed to appear legitimate but contain malicious links or tricks to collect your login credentials. Pay close attention to the sender's email address, subject line, and overall content before clicking on any links or providing sensitive information.


Report suspicious activity: If you suspect that your account or the university system has been compromised or you have encountered a phishing attempt, immediately report it as phishing in Gmail or forward the suspicious email to for further investigation.


Discontinue use of text messages as Duo authenticators: A common thread between these attacks is the compromise of Duo codes sent via text message. Using a text authenticator should always be a backup option and never your primary authenticator, and as such, any codes sent this way should immediately be treated as suspect. If you haven’t already, set up the Duo mobile application on your device, as it bolsters security and is the preferred authentication method. 


Stay informed and educated: Regularly review educational resources provided by Stony Brook University to familiarize yourself with the latest phishing techniques, best practices to protect your accounts, and how to identify potential threats. 


Remember, Stony Brook will NEVER ask you for your password or a Duo code. You may be asked to approve a Duo push to verify your identity if working with tech support, so always ensure that these requests say “Support Request” on them before approving, and that you have explicitly initiated the support request. 


Your Duo credentials should be handled with the utmost care and protected as a critical security component of your university accounts, similar to your password.


If you have any questions or concerns or are simply seeking guidance on how to enhance your account security, please feel free to contact the Information Security team by requesting support at


Thank you for your diligence and attention to this matter.

Matt Nappi

Chief Information Security Officer

Assistant Vice President

For More Information Contact

Information Security Team