Shared Workspace Attacks

Recognize, Respond, Report

Shared workspace attacks are a type of spear phishing where the attacker impersonates a legitimate account to share fake documents with a user to access and steal sensitive information, or send malware to you or your organization. These attacks can target anyone in an organization that utilizes or has access to shared online workspaces such as Google Workspace (Google Drive) or Microsoft OneDrive and Sharepoint.

Recognize

  • Often these emails will be flagged as outside of the organization or will include email addresses that are not from “@rit.edu.”
  • The sender will often share an item that you are not expecting (i.e. financial report or an invoice). 
  • When Google Drive notifications are integrated into Slack they show limited information (in particular, senders email and shared document name). This makes it easy to spot an unrecognized email or unexpected document.

Respond

  • Verify all unexpected requests or notifications by calling or texting a known source or meeting with the person face-to-face.
  • Carefully look over the notification for the sender's email address or information as well as the context of the notification.
  • Report any suspicious notifications to spam@rit.edu.

Report

  • If you believe you have accessed or interacted with a possible fake notification contact the RIT service Center by phone at 585-475-5000, or online at help.rit.edu to open an incident report.

Detail: Common Examples

Below are some examples that have been observed in the RIT community. Be aware that attackers continuously update their strategies; as a result, these examples serve as a learning tool to help you recognize a shared workspace attack.

Google Drive Shared File BEC

Screenshot of Google Shared File BEC

Screenshot of Slack notification for Google Drive

Screenshot of Accounts Payable BEC

While this message appears to be a shared document from an RIT account, the real email of the sender can be observed in the notification. In this case the message has been marked as “outside your organization” and is a red flag that this is a scam.