Phish 2013-05-08 #3
Phishers used a compromised faculty account to send Phish 2013-05-08 #1 to other USC addresses. They managed to send about 100 before we detected and blocked it.
Phishers often use this technique because it bypasses blocks of external sites and makes the phish seem more legitimate because it has a USC From address.
The IP used to inject the phish, 126.96.36.199, is registered to Samoa (us3.exchangezone.ws) but seems to be located in Providence or Salt Lake City, Utah.