{"id":464,"date":"2021-10-11T14:02:50","date_gmt":"2021-10-11T21:02:50","guid":{"rendered":"https:\/\/blogs.pugetsound.edu\/infosec\/?p=464"},"modified":"2021-10-11T14:05:00","modified_gmt":"2021-10-11T21:05:00","slug":"phishing-from-10-11-2021-michael-knettel-shared-department-evaluation-doc-with-you","status":"publish","type":"post","link":"https:\/\/blogs.pugetsound.edu\/infosec\/the-phish-tank\/464","title":{"rendered":"Phishing from 10\/11\/2021: &#8220;Michael Knettel shared &#8216;Department Evaluation doc&#8217; with you.&#8221;"},"content":{"rendered":"\n<p class=\"has-large-font-size\">Original Phishing Message<\/p>\n\n\n\n<p><strong><em>Note: If you received this message, please simply delete it as it is not legitimate. <\/em><\/strong><\/p>\n\n\n\n<p><strong>From: <\/strong>Michael Knettel &lt;no-reply[@]sharepointonline[.]com><br>Subjec<strong>t: <\/strong>Michael Knettel shared &#8220;Department Evaluation doc&#8221; with you.<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"972\" height=\"744\" src=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/10\/10-11-21-sharepoint-phish.png\" alt=\"\" class=\"wp-image-465\" srcset=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/10\/10-11-21-sharepoint-phish.png 972w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/10\/10-11-21-sharepoint-phish-300x230.png 300w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/10\/10-11-21-sharepoint-phish-768x588.png 768w\" sizes=\"auto, (max-width: 972px) 100vw, 972px\" \/><\/figure>\n\n\n\n<p class=\"has-large-font-size\">Tips for Detection<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>If you receive a link to a shared document from an unknown individual, it is most likely phishing. Attackers frequently use real cloud document sharing services such as Microsoft OneDrive or SharePoint to send phishing emails. <\/li><li>Notice that the body of the message states that &#8220;Ronald Thomas&#8221; has shared a file even though the sender is actually &#8220;Michael Knettel&#8221;. When these names mismatch, that is an indication that the message might not be legitimate. <\/li><li>The generic &#8220;Department Evaluation doc&#8221; title should be suspicious. <\/li><\/ul>\n\n\n\n<p class=\"has-large-font-size\">Where Did the Link Lead?<\/p>\n\n\n\n<p>The link led to a Microsoft Sharepoint document that contained a link to a Microsoft Form that asked for your credentials. Never submit your username\/password in any online form, even if it is a Microsoft or Google Form. In general, if you open a link to a shared document and it looks similar to the screenshot below where it asks you to click to see the shared file, it is usually NOT legitimate. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"521\" src=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/10\/10-11-21-sharepoint-doc-phish-1024x521.png\" alt=\"\" class=\"wp-image-466\" srcset=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/10\/10-11-21-sharepoint-doc-phish-1024x521.png 1024w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/10\/10-11-21-sharepoint-doc-phish-300x153.png 300w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/10\/10-11-21-sharepoint-doc-phish-768x391.png 768w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/10\/10-11-21-sharepoint-doc-phish-1536x782.png 1536w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/10\/10-11-21-sharepoint-doc-phish-1440x733.png 1440w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/10\/10-11-21-sharepoint-doc-phish.png 1915w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Original Phishing Message Note: If you received this message, please simply delete it as it is not legitimate. From: Michael Knettel &lt;no-reply[@]sharepointonline[.]com>Subject: Michael Knettel shared &#8220;Department Evaluation doc&#8221; with you. Tips for Detection If you receive a link to a shared document from an unknown individual, it is most likely phishing. Attackers frequently use real [&hellip;]<\/p>\n","protected":false},"author":521,"featured_media":465,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[3],"class_list":["post-464","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-the-phish-tank","tag-phishing"],"_links":{"self":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/464","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/users\/521"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/comments?post=464"}],"version-history":[{"count":2,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/464\/revisions"}],"predecessor-version":[{"id":468,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/464\/revisions\/468"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/media\/465"}],"wp:attachment":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/media?parent=464"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/categories?post=464"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/tags?post=464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}