Original Phishing Message
Note: If you received this message, please simply delete it as it is not legitimate.
From: Michael Knettel <no-reply[@]sharepointonline[.]com>
Subject: Michael Knettel shared “Department Evaluation doc” with you.
Tips for Detection
- If you receive a link to a shared document from an unknown individual, it is most likely phishing. Attackers frequently use real cloud document sharing services such as Microsoft OneDrive or SharePoint to send phishing emails.
- Notice that the body of the message states that “Ronald Thomas” has shared a file even though the sender is actually “Michael Knettel”. When these names mismatch, that is an indication that the message might not be legitimate.
- The generic “Department Evaluation doc” title should be suspicious.
Where Did the Link Lead?
The link led to a Microsoft Sharepoint document that contained a link to a Microsoft Form that asked for your credentials. Never submit your username/password in any online form, even if it is a Microsoft or Google Form. In general, if you open a link to a shared document and it looks similar to the screenshot below where it asks you to click to see the shared file, it is usually NOT legitimate.
