SECURITY ALERT: "Shared document" phishing scam

CSIT has received many reports of a phishing scam targeting NWU Office 365 account information.  This particular phishing scam is a variation on a design we have seen and warned about previously, but the widespread distribution of the scam makes it worth a reminder.

This particular scam comes from a compromised NWU Office 365 account.  The Subject line of the message is “Very Urgent” and it may appear confusing as the recipient address is not visible.  (Most addresses to receive this message are masked by being added to the BCC field.)  The body of the message claims that the sender has deposited important documents at a SharePoint site and invites the recipient to click a link and sign in with their email address to view the documents.

First, note the suspicious nature of the headers of the message which hide the recipient addresses.  Second, the message adopts an unusual (and inconsistent) scheme of capitalization.  Third, there is no indication of the nature of the supposed important documents nor why they are being offered to the recipient.  Finally, the embedded link is disguised.  If you were to follow the link (which is NOT advised), the page prompting for login information is clearly NOT related to NWU’s Office 365 instance, nor is it related to any Microsoft SharePoint login prompt.

Thanks to all those who alerted us to this scam.  We are working to remove the offending messages from NWU mailboxes and have already secured the compromised NWU account from which it originated.