A new phishing campaign is targeting users of the U.S. Department of Education’s G5 portal, a site used by educational institutions and vendors to manage grants and federal education funding. Threat researchers at BforeAI uncovered a cluster of lookalike domains designed to steal user credentials by mimicking the official G5.gov login page.
Cloned version of the G5 portal (Source: BforeAI)
The attack uses deceptive domains like g5parameters.com and g4parameters.com, among others, that copy the visual layout and structure of the real G5 portal. These fake sites include login forms that appear legitimate and even replicate help desk information from the actual Department of Education website. JavaScript is used to exfiltrate credentials and simulate login behavior, such as case-sensitive fields and loading loops, to further trick users.
Cloaking and credential theft
Behind the scenes, the infrastructure is set up to avoid detection. The domains are registered through Hello Internet Corp, a registrar known for weak abuse handling, and they use Cloudflare to mask their hosting details.
The phishing pages employ browser-based cloaking techniques and DOM manipulation to confuse automated scanners. After a user enters their information, the site redirects them to a verification page that could be used to collect more data or bypass MFA.
Smaller institutions at higher risk
“Phishing campaigns like this one targeting the Department of Education’s G5 portal are not isolated,” Abu Qureshi, Lead of Threat Intelligence & Mitigation at BforeAI, told Help Net Security. “We have noticed a trend in which attackers increasingly exploit the trust that educational institutions place in federal systems.”
BforeAI flagged all the domains and has started a takedown process. It also shared threat indicators, such as reused assets and JavaScript signatures, with its intelligence partners. The U.S. Department of Education Office of Inspector General has been notified of the attack.
What makes this campaign particularly risky is its timing. It follows a recent announcement from the Trump Administration about 1,400 layoffs at the Department of Education. Attackers may try to exploit confusion or anxiety around these changes to make phishing emails more believable.
Fallout
The potential fallout is serious. If attackers gain access to G5 credentials, they could change payment instructions, impersonate recipients to commit fraud, or access sensitive data about grants and awards. This kind of access also opens the door to broader social engineering attacks and could expose the federal education funding process to supply chain risks.
Qureshi warned that smaller institutions may be especially vulnerable. “For smaller educational institutions that may lack dedicated cybersecurity staff or training programs, one practical step is to preemptively assess infrastructure targeting your brand across the internet for indicators of future abuse,” he said.
He also recommends a basic behavioral change: “Instruct staff and students to always type critical website URLs manually, especially for government portals, instead of clicking on email or search links. It’s a small behavioral change, but one that disrupts many phishing chains.”
Early detection matters
At the time of discovery, none of the domains were listed on public blocklists, which BforeAI says shows the value of catching threats early. The company continues to monitor for any reuse of the campaign’s infrastructure and urges users of the G5 system to bookmark the official site and report suspicious activity.
