Block accounts with last name as UniAccount

For some time now, we have noticed that "attacks" from the Internet have regularly been carried out on university systems for a few hours. The attackers try to log in to systems with real account names by trying out different passwords. Our systems recognize a large number of false logins in a certain time and block this account for security reasons, which means that the affected employees can no longer log in themselves. This is limited to the time of the attack, the account is then unblocked approx. 10 minutes after the end of the attack has been detected. This means that the accounts that are blocked are actually exposed to an attack!

The accounts affected here are mainly those that consist of the last name of the Employees (older accounts). We assume that the attackers have the email addresses from illegal lists and that they use the name before @uni-kassel.de as the account name. For this reason, only the "speaking" accounts are currently affected and not the uk accounts, as these are generally not used as an e-mail address, but a speaking e-mail address consisting of firstname.surname is always set up and used.

The manufacturer of our firewall is working on a solution to block attack attempts in the firewall as soon as they are detected. This function does not block the account but prevents further access/attempts from the recognized IP address of the attacker. In this respect, users can then continue to work undisturbed. We are currently checking when the manufacturer will be able to provide this function without errors and will then install it in our systems immediately. We will then inform you of this separately.

We ask for your patience and understanding until a solution is found if you/your account is affected by an attack.