We’ve received reports this morning about another phishing campaign imitating our legal team. This one appears to be a contract renewal document, but the email sender address is not a DocuSign address. Even if it were, attackers often use DocuSign to host malicious documents containing additional links to evade detection. The word “Tcnj” is not typical of how most people type the abbreviation. Also of note in this particular attack, hovering over the link shows it goes to microsoftonline.com and not DocuSign. This attack uses a token that if you follow this link and login, you authorize the attacker to use your Microsoft account. An example of the link is below, as well as screenshots from the email. Please remain vigilant when reviewing your emails and reach out to us at phish@tcnj.edu if you have any suspicions or questions about an email message. Thank you.
Example link (token and other data redacted): https://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX&response_type=code&response_mode=query&scope=openid+profile+email+https%3A%2F%2Fgraph.microsoft.com%2FUser.Read&prompt=none&redirect_url=https%3A%2F%2Foutlook.office.com%2Fmail%2Finbox%2Fid%XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%XXXX
