A compromised or burner GoogleSuite account is used to upload a phishing document to Google Drive. Google Drive is then used to share the document with targeted recipients. The email notification comes from Google's Drive robot email address, which leverages Gmail's sender reputation and is indistinguishable from other legitimate Google Drive notifications.
What to watch for:
- The document is shared by an external, non-umich user, yet purportedly on behalf of U-M President Santa J. Ono or other well-known U-M identity.
- The email is sent and cc'd to multiple recipients.
- The shared document has a distinctive file name (reflected in subject lines). For example, "NOV_DECResources.pdf" or "NOV_DEC Faculty and Staff Performnce Review.pdf."
- The text in the message body/sharing comment fraudulently references a U-M identity. For example, "Santa J. Ono has share a file with you that required urgent review."