Original Phishing Message

Tips for Detection

• The email was sent from a hotmail.com address. When receiving emails from external addresses, use extra caution especially if you are not expecting an email or do not know the sender.
• Although the display name appears to be impersonating “IT Faculty” which is already strange, the body of the email seems to indicate that the sender is from Office of Finance. These inconsistensies should raise a red flag.
• Though the link is an actual Microsoft OneDrive short URL (1drv.ms), attackers do frequently use legitimate cloud sharing sites in phishing attacks.

Where Did the Link Lead?

The link first leads to a OneDrive document that contains another hyperlink. Generally, if you open an attachment or shared document that contains language asking you to click another link to see the actual document, steer clear.

If clicking on “CHECK NOW,” you would be taken to a Google Form asking for your email address and key_word (password). Never submit passwords or sensitive information using online forms. This should also be suspicious as logging in to OneDrive would require signing in to Microsoft, not being taken to a Google Form.

Text of Phishing Message

IT Faculty shared a file with you

KINDLY CHECK THE TRANSCRIPT. [Name Removed] Associate Vice President for Finance University of Puget Sound [removed]@pugetsound.edu

Evaluation Transcript (December).docx

Open [link removed]