Alert: Schools receiving Microsoft File Sharing Phishing Emails
📢 We've received several phishing emails from schools recently that look like they are sharing a Microsoft file or folder with us.
The emails look as though they have gone out to their suppliers and then the person's email account is then not available. The emails look like legitimate Microsoft file and folder sharing requests, which aim to steal login credentials and potentially gain access to sensitive data. The emails are being received internally to organisations but also sent out to suppliers, like ourselves. Key points about these kinds of attacks:
🕵🏽 A sender name that appears legitimate: it will look like someone you know or a contact, it may look like the correct email address and may have a photo of the person.
🕵🏽 A subject line related to file sharing: i.e. [Name] has shared a file with you.
🕵🏽 A convincing email body: containing branding you recognise and a layout that looks familiar
🚫 Do not click on any links or attachments.
🚫 Do not reply to the email - interacting confirms you are a real person and your email address is active.
🚫 Mark the email as spam or junk - this will help your email provider identify future emails like this.
🚫 Verify the sharing request - speak to the person concerned through a trusted communication method.
🚫 Report the suspicious email to your IT department immediately - the quicker they are able to contain the threat, the less likely the damage.
The SLT digital lead is responsible for assigning someone to report any suspicious cyber incidents or attacks. The person will need to report this to:
🛡️Change your email password immediately.
🛡️Let your IT department know immediately - this is importance to contain the threat.
🛡️Be vigilant for unusual activity.
🛡️Training & Awareness - ensure that everyone has increased awareness of the situation and consider additional phishing training.
📢 If you are a school or multi academy trust the DfE Digital Standards recommend that everyone that has access to school systems should undergo annual cyber security training. We recommend creating a cyber security resilience culture where training and awareness for cyber and information security is part of the organisation's ethos.
The emails look as though they have gone out to their suppliers and then the person's email account is then not available. The emails look like legitimate Microsoft file and folder sharing requests, which aim to steal login credentials and potentially gain access to sensitive data. The emails are being received internally to organisations but also sent out to suppliers, like ourselves. Key points about these kinds of attacks:
🕵🏽 A sender name that appears legitimate: it will look like someone you know or a contact, it may look like the correct email address and may have a photo of the person.
🕵🏽 A subject line related to file sharing: i.e. [Name] has shared a file with you.
🕵🏽 A convincing email body: containing branding you recognise and a layout that looks familiar
What should you do?
🚫 Do not click on any links or attachments.
🚫 Do not reply to the email - interacting confirms you are a real person and your email address is active.
🚫 Mark the email as spam or junk - this will help your email provider identify future emails like this.
🚫 Verify the sharing request - speak to the person concerned through a trusted communication method.
🚫 Report the suspicious email to your IT department immediately - the quicker they are able to contain the threat, the less likely the damage.
The SLT digital lead is responsible for assigning someone to report any suspicious cyber incidents or attacks. The person will need to report this to:
- Action Fraud on 0300 123 2040, or the Action Fraud website
- the DfE sector cyber team at
This email address is being protected from spambots. You need JavaScript enabled to view it.
- the NCSC website if the incident or attack causes long term school closure, the closure of more than one school, or serious financial damage.
- the ICO website within 72 hours, where a high risk data breach has or may have occurred. We would advise contacting us to do this on your behalf by either logging a data breach on the Knowledge Bank portal or by emailing:
This email address is being protected from spambots. You need JavaScript enabled to view it. your cyber insurance provider (if you have one), such as risk protection arrangement (RPA) - Jisc, if you are a part of a further education institution.
- Action Fraud guidance for reporting fraud and cyber crime
- Academy Handbook Part 6 if you are part of an academy trust
- ICO requirements for reporting personal data breaches. We would advise emailing us on
This email address is being protected from spambots. You need JavaScript enabled to view it. to liaise with the ICO on your behalf.
What if you clicked on the link and entered your credentials?
🛡️Change your email password immediately.
🛡️Let your IT department know immediately - this is importance to contain the threat.
🛡️Be vigilant for unusual activity.
🛡️Training & Awareness - ensure that everyone has increased awareness of the situation and consider additional phishing training.
📢 If you are a school or multi academy trust the DfE Digital Standards recommend that everyone that has access to school systems should undergo annual cyber security training. We recommend creating a cyber security resilience culture where training and awareness for cyber and information security is part of the organisation's ethos.