Subject<\/strong>: Item shared with you: “Pugetsound StudentIncident_Report_FollowUp_Process_2026.docm”
<\/p>\n\n\n\n
![\"\"](\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2026\/06\/6-22-26-google-doc-share-email.png\")
<\/figure>\n\n\n\nTips for Detection<\/p>\n\n\n\n
- \n
- Many attackers leverage legitimate cloud services such as Google Drive to make their emails look legitimate. The display name on the account used to share the document can be easily manipulated. However, the email address cannot. Notice that the email address in the body of the email is listed as mayerlingsabourin[@]gmail[.]com<\/em>. <\/li>\n\n\n\n
- Many attackers will try to impersonate campus members. In this case, they are impersonating a VP. However, notice the yellow banner in the body of the email that states that the message was sent “outside your organization<\/em>.” If you receive an email from an external source (not @pugetsound.edu) purporting to be from a campus member, this is suspicious. <\/li>\n\n\n\n
- Be wary of communications you receive that fall outside what you would normally expect. <\/li>\n<\/ul>\n\n\n\n
Where did the link lead?<\/p>\n\n\n\n
The first link goes to a document stored on Google Drive. A shared document containing a secondary link and no content should be suspicious. If you hover over the link, notice that it goes to ms-secure-sign-kojf33[.]vercel[.]app which is suspicious. Notice the contradictory wording that the document is in Google Drive and Dropbox. <\/p>\n\n\n\n
![\"\"](\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2026\/06\/6-22-26-google-doc-share-link-1-1024x405.png\")
<\/figure>\n\n\n\nThough the following pages look like Microsoft login pages, they are not legitimate. Always check the URL of the website you are on and avoid entering credentials or sensitive data on sites you do not recognize. <\/p>\n\n\n\n
![\"\"](\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2026\/06\/6-22-26-google-doc-share-link-2-1024x523.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2026\/06\/6-22-26-google-doc-share-link-3-1024x510.png\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"Original Phishing Message From: drive-shares-dm-noreply[@]google[.]comSubject: Item shared with you: “Pugetsound StudentIncident_Report_FollowUp_Process_2026.docm” Tips for Detection Where did the link lead? The first link goes to a document stored on Google Drive. A shared document containing a secondary link and no content should be suspicious. If you hover over the link, notice that it goes to ms-secure-sign-kojf33[.]vercel[.]app […]<\/p>\n","protected":false},"author":521,"featured_media":1447,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[3],"class_list":["post-1445","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-the-phish-tank","tag-phishing"],"_links":{"self":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/1445","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/users\/521"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/comments?post=1445"}],"version-history":[{"count":1,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/1445\/revisions"}],"predecessor-version":[{"id":1451,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/1445\/revisions\/1451"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/media\/1447"}],"wp:attachment":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/media?parent=1445"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/categories?post=1445"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/tags?post=1445"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Many attackers will try to impersonate campus members. In this case, they are impersonating a VP. However, notice the yellow banner in the body of the email that states that the message was sent “outside your organization<\/em>.” If you receive an email from an external source (not @pugetsound.edu) purporting to be from a campus member, this is suspicious. <\/li>\n\n\n\n