Body
Date and Time First Identified
- March 12, 2025 at approximately 4:30pm
Phishing Method
- Email sent multiple times to multiple recipients, claiming that a strange email address (which varies in each version of the email) has shared a file or folder with billing information.
- There are low-context file sharing links in the body, a vector through which attackers commonly host malicious payloads as they provide few signals about the nature of the file itself, making these types of attacks hard to detect at high confidence.
- This message contains a Google Drive link, a commonly abused low-context file sharing attack vector.
- The email exhibits suspicious sending behavior: the sender's email signature (display name/email address) matches a known brand ('Google'), but the email address (drive-shares-noreply@google.com) does not match the display name ('"Wеiis Fаrgо - Nоtify |... (Via ..'), a common pattern in impersonation attempts.
- Email appears to be a financial request, but the message body contains language that may be trying to steal money from the organization.
- No Reply-To domains match the Sender domain. Additionally, Reply-To Domains do not match any domains found in body links.
User Response
- Do not reply to the message
- Do not click on any links or attachments
- Mark the message as spam or junk
- Forward the message to phishing@dartmouth.edu
- Block the sender
Sample Unformatted Email
Subject: Item shared with you: "Rеviеw Yоur Вilling Infоrmаtiоn Nоw - Ассеss Rеstricted"
|
WеIIs Fаrgо - Nоtify | Ассеss Rесоvery shared an item
|
|
WеIIs Fаrgо - Nоtify | Ассеss Rесоvery (Email Redacted) has shared the following item:
|
Review Your Billing Information Now - Access Restricted
|
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
You have received this email because (Email Redacted) shared a file or folder located in Google Drive with you. |
|
|