Shared Workspace Attacks

Shared workspace attacks are a type of spear phishing where the attacker impersonates a legitimate account to share fake documents with a user to access and steal sensitive information, or send malware to you or your organization. These attacks can target anyone in an organization that utilizes or has access to shared online workspaces such as Google Workspace (Google Drive) or Microsoft OneDrive and Sharepoint.

Recognize

• Often these emails will be flagged as outside of the organization or will include email addresses that are not from “@rit.edu.”
• The sender will often share an item that you are not expecting (i.e. financial report or an invoice). 
• When Google Drive notifications are integrated into Slack they show limited information (in particular, senders email and shared document name). This makes it easy to spot an unrecognized email or unexpected document.

Respond

• Verify all unexpected requests or notifications by calling or texting a known source or meeting with the person face-to-face.
• Carefully look over the notification for the sender's email address or information as well as the context of the notification.
• Report any suspicious notifications to spam@rit.edu.

Report

• If you believe you have accessed or interacted with a possible fake notification contact the RIT service Center by phone at 585-475-5000, or online at help.rit.edu to open an incident report.

Below are some examples that have been observed in the RIT community. Be aware that attackers continuously update their strategies; as a result, these examples serve as a learning tool to help you recognize a shared workspace attack.

• "A file was shared with you" Phishing (external)
• Spear Phishing with Google Drive (external)
• Spear Phishing with SharePoint (external)
• How to Spot SharePoint Phishing (external)