Shared with you Phishy docs

Reeling Them In: The Success of “Shared with you” Phishing Campaigns

Phishing campaigns masquerading as shared documents have become increasingly prevalent, exploiting our near-universal reliance on cloud services for collaboration. These schemes are sophisticated, leveraging realistic emails that create a sense of urgency or curiosity, and often slip past even trained eyes. To dissect what makes these campaigns effective, we’ll dive into the components that lure users into traps. From authentic-looking subject lines to cleverly crafted sender addresses and URLs, understanding each element can illuminate why these attacks succeed where others fail.

Anatomy of a Real-World Campaign

An effective phishing campaign begins with impeccable attention to detail that makes false communications indistinguishable from legitimate ones. Let’s break down the components:

Subject Lines

The campaign utilized subject lines that mimicked typical notifications from collaboration services. A common tactic was to use recognizable service names such as Google Docs or OneDrive, paired with plausible action phrases:

Subject: Document shared with you: “Quarterly Report”
Subject: You have received a secure document from [Manager Name]

Sender Patterns

The email addresses were crafted to enhance credibility. Attackers frequently create look-alike domains or user names that match or closely resemble legitimate addresses to lower suspicion:

Sender: docs-noreply@googlesecurity-docs.com
Sender: sharepoint-admin@office365-notifications.org

Email Body

The email body is a critical component, where the blend of urgency and authenticity triggers the click impulse. Below is an email body example that provides the level of realism necessary for success:


Hey [Recipient Name],



[Sender Name] has shared a secure document with you via Google Docs.



You can view the document by clicking on the link below:



<a href="https://drive.google.docs-file.view.com/[randomID]">View Document</a>



Please note: This is a secure document. For your convenience, we'll notify you if anything changes.



Best regards,

The Google Docs Team

URL Structure

URLs are crafted to appear familiar, often using subdomains or HTTPS to obtain a semblance of security:

An important element of phishing campaigns is URL structure — blending legitimacy cues and obscuring the actual destination.

Phishing URL: https://accounts.google.com@login-drive.secure-shared.com
Phishing URL: https://onedrive.microsoftonline-com.redirect-login.process.online-approval.org

Good / Better / Best: Crafting Irresistible Lures

Good

Using generic service notifications like Document shared which work by exploiting familiarity.
Simple domain look-alikes, e.g., substituting

.com

with

.co

or adding a few letters (

googledocs-services.com

).
Basic plaintext email body with straightforward instructions.

Better

Personalizing subject lines with actual document names or known sender details to increase recipient trust.
Using sophisticated domain tricks, such as

–

and subdomains that look genuine (e.g.,

users-google.com

).
HTML email bodies that include company logos and mimic the service’s branding and style.

Best

Mimicking internal communication styles, using the same phrases and tone expected in legitimate documents.
Domain names that are virtually indistinguishable, possibly using visual similarities with letters (e.g., using

ạ

instead of

a

).
Highly targeted content that references ongoing projects or recent events within the organization, vastly increasing perceived legitimacy.

Related Concepts

Understanding the psychology of phishing is as crucial as recognizing the technical elements. These campaigns often exploit:

Cognitive Bias: Leveraging heuristic processing where users quickly make judgments based on familiar patterns.
Social Engineering: Manipulating trust and authority figures by impersonating HR or management communications.
Urgency and Fear: Inducing a quick response by suggesting immediacy or potential consequences.