I've been working with computers since the early 1980's. I have built them. Soldered motherboards. Written software. Been a Network Administrator for NASA, and on the development team for the Java programming language and VM.
I have the chops and experience. There's little about the function of computers - from the silicon to the UX - that I do not have a firm grasp of.
One hour ago, while working on resolving an internal processes issue between the Sales and Accounting departments about an invoice that was not entered properly, I got an email from another regular customer with questions about their monthly invoice.
It is the middle of the month. Invoices are due in two weeks (by Oct 1), so this is not unexpected. If there are going to be problems with invoices, they are either going to happen mid-month or two days before month-end closing.
Blah blah blah...
DeKalb County, GA sends me an email asking about the enclosed invoice.
Since I am on a Slack call with someone from Sales and our Accounting manager talking about the other invoice issue, I figure I'll pop open the email and see if we need to talk about this one, too.
The PDF they sent me has a link to their Microsoft OneDrive account, and I click it to download the file. I have to use my Microsoft Teams login to get the doc. (DeKalb County and my company are both Microsoft shops, and SharePoint and Teams are used HEAVILY with all the built-in functionality, like file sharing via OneDrive.)
I type in my username and password to authenticate and download the invoice from their shared drive...
... and Google Chrome pops up a message that says, "Hey idiot, you just entered your credentials into a deceptive site." And then gives me an option to "Ignore" this message, or open up my Password Manager and "Check Passwords".
Having just granted some Russian hacker full access to my computer - and all of my company's internal documentation, payment systems, code bases, etc. (I have access to EVERYTHING) - I freeze. Click NOTHING.
Switch to Slack and ping my Security Dude.
He locks my account. We change my master password, and I confirm the new password with my physical Security Dongle (that generates a unique 6-digit one-time-use code), to reset my account and all my passwords throughout the company.
--- breathe ----
Everything is fine. Nothing was compromised except my password, and the password was only compromised for 2.5 minutes, and was never used to access our systems. It is a totally unique password and I do not use it anywhere else.
So there was no breach.
BUT....
If Google had not popped up this message:
I would literally not know I had given up my credentials to an untrusted third party.
This shook me. I've NEVER fallen for one of these before...
(Fuck. Still can't get images to show in Hubski...)
I remember seeing a tweet from someone in a similar situation to yours who showed a really sophisticated phishing scam that used some obscure technique to essentially hijack a legitimate google url. I wish I could find it because I'd always thought I was immune to pretty much any phishing attack and now I'm wary as hell. Still, glad to see there's no lasting damage.
The hack process is so familiar with my normal everyday usage of MS products... A coworker click a really simple "Share this!" button in an MS Office 365 product, to share a file with you. Easy, right? So you click the link and are taken to the web page... ... oh, but first you need to authenticate your login name and password to this OTHER instance of Microsoft Office 365, because it's not federated to the same MS Office 365 instance you are currently logged in to... ... and then once you log in, it loses track of what you were trying to, so you go back to the original link the person sent you in email, click it again, and then you get into the system to download the file they wanted to share with you. And this is the normal process for sharing a file via Microsoft's oh-so-helpful tools! You literally go through about 7 different redirect web pages, all lightly branded with MS logos and verbiage, before finally having to re-do the initial action, because MS has redirected you so many times even they don't know what you were originally trying to do. So you do it again. Now, a hacker only needs to gain control of ONE of those redirects, duplicate the generic design of a bunch of generic MS pages, and even a savvy user like myself has NO IDEA that the URL changed in mid-redirect to some nefarious nogoodnik's page, and has now stolen your login credentials. God I hate Microsoft's software...
I clicked on a link in a bogus email once. It was at work, and the site was blocked as an unknown or suspicious site. I don't know what I'd have done beyond there, but like you I never fall for those things. This one I did.
Yeah, our company has been the target of a heavy campaign recently, and the InfoSec dude have their work cut out for them. The hackers have now started cultivating employees' personal email addresses, and are sending them emails "from our CEO". Because our company has been working from home since March (and many of us since mid-February), the line between "personal" and "work" has been blurring, so these attacks on people at home are being somewhat effective. I do not envy our InfoSec team's work right now...