This phish is an actual SharePoint Online file sharing email, but that doesn’t mean the file it goes to is legitimate. Phishers are known to use compromised Microsoft 365 accounts at other organizations to create a phishing document. Instead of creating their own phishing email, they instead send out the phish by sharing that phishing document with the other people they want to target. That can potentially make the phish harder to detect because the emails have the same look and feel as legitimate SharePoint Online file sharing emails.
Despite all that, there are still some red flags:
- The message claims that the file is from the UVic president, but the file wasn’t shared by him or someone from the UVic President’s Office. Inconsistencies like this can often be a sign of a phish or scam.
- The message is very vague. This may be a trick to make you curious and go to the file to find out what’s actually in it.
- There is incorrect grammar and capitalization in the message.
- At the bottom-right corner of the message, you’ll see a different university’s logo. This is a sign that the file did not come from within UVic’s Microsoft 365 tenant. An actual file from the UVic President should not be coming from a different university’s Microsoft 365 service.
From: E********** <noreply@sharepointonline.com>
Subject: E********** shared “FILE REVIEW 2023” with you.E********** shared a file with you
FWD: President Kevin Hall you a file using one drive.
[Word document icon] FILE REVIEW 2023
This link will work for anyone.
Open
[Microsoft logo]
[Other university’s logo]