This Was a Phish

Ohio State regularly runs phishing training exercises to the university community. By clicking the link that brought you to this page, you succumbed to a university phishing simulation. Read on to learn how to spot phishing messages and protect yourself and the university from malicious attacks.

Spotting the Phish

You received this email:

Subject: 2025 Performance Report Update, email is from an illegitimate domain encouraging recipients to click a bad link.

Sender Addresses: The sender address, hr@onedrive-micrasoft.com, is very generic, not the correct method for connecting with human resources at Ohio State, and should raise red flags. The domain (everything after the @ symbol) is the first indication that this might be a phishing attack.

Confusing Language: Performance reviews at Ohio State are in collaboration with your manager, not randomly sent via email. If you are prompted by Ohio State to engage in human resource activities outside proper channels, report the email as suspicious so the security team can take defensive action and alert others.

When you engage with the email, you are sent to a fake log in page.

Web page asking for user to submit their email address to the attacker

Review the URL of web page before engaging with it: When you clicked from the email, a website was loaded with a URL of login.onedrive-micrasoft.com, which is not a legitimate site. Attempt to confirm the legitimacy of a site before you enter login credentials or personal information like name, email address or phone number.

Report Phishing Attempts

Image of the 'report suspicious' banner displayed at the top of every external email you receive. Click this banner to report suspected phish.

If you ever suspect an email to be a phishing attempt, please report it immediately by clicking the "Report Suspicious" button in the warning banner which appears at the top of that external email.