URGENT SECURITY ALERT: Continuing phishing attacks using document sharing theme


NWU mailboxes are being subjected during the past few days to a campaign of phishing attacks.  This campaign employs a theme which we have warned about previous, i.e. the request to review a shared document.  However, the increasing frequency of this attack warrants another alert.  In addition, we have reason to believe that the aim of this campaign is not merely to harvest email credentials to use for mass mailing, but is focused on theft and the commission of fraud.

The common element of message in the current campaign is a message which offers the recipient chance to review a document which has been shared with them via OneDrive for Business.  The message might have the subject line “Medical Review” or “Paperwork”.  The apparent sender varies, but often appears to come from a domain associated with the medical community.  The messages include a large OneDrive for Business banner and include a link to the supposed location of the document.  The message includes the encouragement to review the document as soon as possible.  Clicking on the embedded link will open a web browser which will immediately attempt to download a document holding the payload.  Note, too, that the embedded link actually points to a Google Docs site, not to a SharePoint site contrary to the assertion of the message.

Should you receive such an email message, please delete it immediately.  Do not attempt to follow the embedded link, do not download the file and certainly do not attempt to open it.  If you have already fallen for this phishing scam, please notify CSIT immediately.  We will assist you with changing your account passwords to assure that your NWU accounts are secured.  For our part, we are in the process of installing and testing message filters which will stop instances of this phishing campaign from reaching NWU mailboxes.  We are also scanning to remove any we can isolate which have already been delivered.

More generally, please use extreme caution in handling your email, particularly during transitional period of the calendar such as this one.  Phishing scams typically increase in frequency during such transitional periods and current scams are becoming much more sophisticated in their methods, as well as more malicious in their aims.