{"id":195,"date":"2020-12-04T13:59:17","date_gmt":"2020-12-04T21:59:17","guid":{"rendered":"http:\/\/blogs.pugetsound.edu\/infosec\/?p=195"},"modified":"2020-12-04T15:05:33","modified_gmt":"2020-12-04T23:05:33","slug":"phishing-from-12-4-2020-it-faculty-shared-evaluation-transcript-december-with-you","status":"publish","type":"post","link":"https:\/\/blogs.pugetsound.edu\/infosec\/the-phish-tank\/195","title":{"rendered":"Phishing from 12\/4\/2020: &#8220;IT Faculty shared &#8216;Evaluation Transcript (December)&#8217; with you.&#8221;"},"content":{"rendered":"\n<p class=\"has-large-font-size\">Original Phishing Message<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"989\" height=\"636\" src=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2020\/12\/12-4-20-IT-fac-eval-phish.png\" alt=\"\" class=\"wp-image-196\" srcset=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2020\/12\/12-4-20-IT-fac-eval-phish.png 989w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2020\/12\/12-4-20-IT-fac-eval-phish-300x193.png 300w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2020\/12\/12-4-20-IT-fac-eval-phish-768x494.png 768w\" sizes=\"auto, (max-width: 989px) 100vw, 989px\" \/><\/figure>\n\n\n\n<p class=\"has-large-font-size\">Tips for Detection<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The email was sent from a hotmail.com address. When receiving emails from external addresses, use extra caution especially if you are not expecting an email or do not know the sender.<\/li><li>Although the display name appears to be impersonating &#8220;IT Faculty&#8221; which is already strange, the body of the email seems to indicate that the sender is from Office of Finance. These inconsistensies should raise a red flag. <\/li><li>Though the link is an actual Microsoft OneDrive short URL (1drv.ms), attackers do frequently use legitimate cloud sharing sites in phishing attacks. <\/li><\/ul>\n\n\n\n<p class=\"has-large-font-size\">Where Did the Link Lead?<\/p>\n\n\n\n<p>The link first leads to a OneDrive document that contains another hyperlink. Generally, if you open an attachment or shared document that contains language asking you to click another link to see the actual document, steer clear.  <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"929\" height=\"574\" src=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2020\/12\/12-4-20-onedrive-link.png\" alt=\"\" class=\"wp-image-197\" srcset=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2020\/12\/12-4-20-onedrive-link.png 929w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2020\/12\/12-4-20-onedrive-link-300x185.png 300w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2020\/12\/12-4-20-onedrive-link-768x475.png 768w\" sizes=\"auto, (max-width: 929px) 100vw, 929px\" \/><\/figure>\n\n\n\n<p>If clicking on &#8220;CHECK NOW,&#8221; you would be taken to a Google Form asking for your email address and key_word (password). Never submit passwords or sensitive information using online forms. This should also be suspicious as logging in to OneDrive would require signing in to Microsoft, not being taken to a Google Form.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"628\" src=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2020\/12\/12-4-20-google-form-creds-1024x628.png\" alt=\"\" class=\"wp-image-198\" srcset=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2020\/12\/12-4-20-google-form-creds-1024x628.png 1024w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2020\/12\/12-4-20-google-form-creds-300x184.png 300w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2020\/12\/12-4-20-google-form-creds-768x471.png 768w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2020\/12\/12-4-20-google-form-creds.png 1381w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"has-large-font-size\">Text of Phishing Message<\/p>\n\n\n\n<p>IT Faculty shared a file with you<\/p>\n\n\n\n<p>KINDLY CHECK THE TRANSCRIPT. [<em>Name Removed<\/em>] Associate Vice President for Finance University of Puget Sound [<em>removed<\/em>]@pugetsound.edu<\/p>\n\n\n\n<p>Evaluation Transcript (December).docx<\/p>\n\n\n\n<p>Open [<em>link removed<\/em>]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Original Phishing Message Tips for Detection The email was sent from a hotmail.com address. When receiving emails from external addresses, use extra caution especially if you are not expecting an email or do not know the sender. Although the display name appears to be impersonating &#8220;IT Faculty&#8221; which is already strange, the body of the [&hellip;]<\/p>\n","protected":false},"author":521,"featured_media":196,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[3,4],"class_list":["post-195","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-the-phish-tank","tag-phishing","tag-phishtank"],"_links":{"self":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/195","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/users\/521"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/comments?post=195"}],"version-history":[{"count":2,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/195\/revisions"}],"predecessor-version":[{"id":200,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/195\/revisions\/200"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/media\/196"}],"wp:attachment":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/media?parent=195"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/categories?post=195"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/tags?post=195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}