Latest Phishing Attempt

The malicious attachment in this phishing campaign has been determined to be ransomware.  The message appears to come from different copier@* addresses.  Upon opening the attached .docm file, the ransomware in question encrypts files on local, fixed and removable, and network filesystems.  If you received a message like this and opened the document, shut down your system and contact the TSO Help Desk immediately.

There are emails that are being circulated, an example of which is below, that include suspicious attachments. These are not legitimate emails.
If you receive an email like this, do not open the attachment. If a phishing or spam email makes its way into your inbox, please forward it according to the directions at to improve the accuracy of GT's filters.
You can learn to recognize phishing emails. They frequently contain poor grammar and unusual wording. Sometimes they will use a legitimate-looking email address, but they don't always. In some cases, there is a mismatch between the name and the email address in the From field. However, these are not always present. Phishing emails often want you to visit a site with an unusual URL that has nothing to do with the purported sender. However, in the example below, a request is made to open an attached file, which could contain a malicious payload.

From: "copier@" <copier@<REMOVED>.edu>
Subject: Scanned image from
Date: July 20, 2016 at 5:40:07 AM EDT
Reply-To: "copier@<REMOVED>" <copier@<REMOVED>.edu>

Reply to: <copier@<REMOVED>.edu>
Device Name:
Device Model: MX-2310U

File Format: Microsoft Office Word
Resolution: 200dpi x 200dpi

Attached file is scanned image in Microsoft Office Word format.
Use Microsoft Office Word to view the document.