Home
FUTURE STUDENTS GIVE TO UWINDSOR

Self-Phish Review: Remote working - assets inventory

 The message you clicked is part of a Phishing Awareness campaign

You are viewing this page because you clicked the link in a phishing message and provided your credentials on the login page.

This message was sent by IT Services as an educational exercise to help the University community to learn how to recognize and react to phishing messages. Don't be concerned, your password was not captured or stored by IT Services.

We ask you to do the following two steps:

  1. Please don't warn your colleagues. It is important they reach this page and learn how to not get caught.
  2. Read the information below.

Dissecting the Phish

There were several signs in the email that should have triggered a vigilant reader to doubt the authenticity of the message.

  1. Strange personalized greeting

    The message was personalized using both the recipient's first and last names, which is unusual for a message coming from their department head. Additionally, the content of the message suggests that it might be a broadcast message to the whole department, meaning that a personalized greeting would not be appropriate.
     
  2. Inconsistent language

    The message refers to the data collection as both an inventory and a survey. Those are not exactly the same things and may be a clue that the composer of the message is not a native English speaker.
     
  3. Insecure link

    The URL in the Survey Link uses HTTP instead of HTTPS. This is unusual, especially for a website that is asking for credentials.
     
  4. Unfamiliar domain and URL

    The Survey Link points to a domain that is not associated with the University, Microsoft or any other partners (such as Oracle). Additionally, the rest of the URL looks like a randomly generated string instead of a readable landing page for an application.

The password page

The password page should also have given an aware reader pause. When logging in using Microsoft Azure Authentication, the password page is customized for the University of Windsor. After providing an email address that ends with @uwindsor.ca, Microsoft's authentication system provides a UWindsor-specific login page instead of the generic one. 

You can see in the image below the differences between the fake password page associated with the phishing attempt on the left and the legitimate UWindsor password page on the right.

  1. The password dialog does not inlcude the UWindsor logo, instead showing a generic Microsoft logo.
     
  2. The background image on the page does not change to show a UWindsor background image (Dillon Hall in this case).
     
  3. There is no customized UWindsor help link at the bottom of the password dialog.

 

Lessons learned

Recipients of messages need to be continually aware of the possibility that it may be a phishing attempt. Key takeaways from this phishing exercise are:

  • Readers need to be looking for phishing
  • Consider the content - does the greeting match the message, does the language make sense, is it an unsual request?
  • Review links carefully
  • Pay attention to login prompts

Keeping these lessons in mind will help you to spot phishing attempts in the future.