{"id":878,"date":"2022-10-06T09:57:17","date_gmt":"2022-10-06T16:57:17","guid":{"rendered":"https:\/\/blogs.pugetsound.edu\/infosec\/?p=878"},"modified":"2022-10-06T09:57:19","modified_gmt":"2022-10-06T16:57:19","slug":"phishing-from-10-6-2022-item-shared-with-you-employee-report-pdf","status":"publish","type":"post","link":"https:\/\/blogs.pugetsound.edu\/infosec\/the-phish-tank\/878","title":{"rendered":"Phishing from 10\/6\/2022: &#8220;Item shared with you: &#8216;Employee Report.pdf'&#8221;"},"content":{"rendered":"\n<p class=\"has-large-font-size\">Original Phishing Message<\/p>\n\n\n\n<p><strong><em>NOTE: If you received this message, please delete it or use the option to &#8220;block the sender&#8221; from Drive as it is NOT legitimate.  <\/em><\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"541\" src=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2022\/10\/10-6-22-gdrive-phish-1-1024x541.png\" alt=\"\" class=\"wp-image-880\" srcset=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2022\/10\/10-6-22-gdrive-phish-1-1024x541.png 1024w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2022\/10\/10-6-22-gdrive-phish-1-300x158.png 300w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2022\/10\/10-6-22-gdrive-phish-1-768x406.png 768w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2022\/10\/10-6-22-gdrive-phish-1.png 1202w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"has-large-font-size\">Tips for Detection<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>This message may be difficult to spot as it takes the form of a real Google Document share. Look for mismatches between the actual sender\u2019s name\/email address (e.g. Adam Hille has shared the following item) versus the name mentioned in the description of the document share (e.g. Dr. Isiaah Crawford shared a File).<\/li><li>Notice the mismatch between the file share being from Google where the text mentions OneDrive.<\/li><li>Notice that the individual sharing the document is\u00a0<strong><em>outside\u00a0<\/em><\/strong>Puget Sound. When you see the yellow\/orange banner in a Google Drive share email that says \u201c[<em>email address<\/em>\u00a0<em>or name<\/em>] is outside your organiztion\u201d, please use extra caution.<\/li><li>Many phishing attempts utilize legitimate cloud collaboration services such as Google Drive, OneDrive, Dropbox, etc. Frequently, the shared document will include a note to click a link to open the actual document \u2013 however, this link will generally lead to a site that asks for your credentials (e.g. fake login website, web form).<\/li><li>If you\u2019re not expecting a shared document, use extra caution before clicking on the link.<\/li><\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>If you would like to prevent an email address from being able to use Google Drive to share files with you, you can block them:&nbsp;<a href=\"https:\/\/support.google.com\/drive\/answer\/10613533\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/support.google.com\/drive\/answer\/10613533<\/a>.<\/p><\/blockquote>\n\n\n\n<p class=\"has-large-font-size\">Text of Phishing Message<\/p>\n\n\n\n<p><strong>From:<\/strong> Adam Hille (via Google Drive) &lt;drive-shares-dm-noreply[@]google[.]com><br><strong>Subject:<\/strong> Item shared with you: &#8220;Employee Report.pdf&#8221;<\/p>\n\n\n\n<p>Adam Hille shared an item<\/p>\n\n\n\n<p>Adam Hille (ahille[@]isd2835[.]org) has shared the following item:<br>fwd: Dr. Isiaah Crawford shared a File with you using One Drive.<\/p>\n\n\n\n<p>Employee Report.pdf<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Original Phishing Message NOTE: If you received this message, please delete it or use the option to &#8220;block the sender&#8221; from Drive as it is NOT legitimate. Tips for Detection This message may be difficult to spot as it takes the form of a real Google Document share. Look for mismatches between the actual sender\u2019s [&hellip;]<\/p>\n","protected":false},"author":521,"featured_media":880,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[3],"class_list":["post-878","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-the-phish-tank","tag-phishing"],"_links":{"self":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/878","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/users\/521"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/comments?post=878"}],"version-history":[{"count":1,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/878\/revisions"}],"predecessor-version":[{"id":881,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/878\/revisions\/881"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/media\/880"}],"wp:attachment":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/media?parent=878"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/categories?post=878"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/tags?post=878"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}