How Can I Spot Phishing Scams in SharePoint and OneDrive Emails?

Consider enhancing your email security with banners directing users to be cautious with emails from external senders, especially those from known phishing domains like Dropbox or DocuSign. And don't underestimate user training! Encourage them to ask themselves two questions: 'Do I know this person?' and 'Am I expecting this?' If there's any doubt, they should call the sender using a verified phone number, not just reply to the email.

It sounds like you're dealing with a pivot attack. In these cases, the sender's account may have been compromised, and they're sending out emails that look genuine to try to get users to open malicious attachments. I've seen this happen, and it often leads to accounts being hijacked shortly after. A good practice is to train users to verify any unexpected attachments by reaching out directly to the sender through a different communication method, like a quick call or text. Another option is to open files in a sandbox environment before fully engaging with them.

You could simply call the sender and check what they're actually sending. It's a straightforward way to confirm if it’s legitimate.

User training can be tricky when it comes to trusting emails. It's hard for someone to ignore a link in an email they're expecting to receive! What you might want to emphasize is the importance of confirming requests through direct contact instead of just relying on email replies, since attackers often mimic the sender’s response.