The Information Security Office is aware of a phishing campaign attempting to trick recipients into reviewing and signing a document under the guise of a Microsoft Teams signature request. These messages commonly use the subject line “Re: HR Documents, Pending completion approval” to appear as part of an ongoing or legitimate HR-related conversation.

This is not a legitimate email. Recipients should not click the “Review Document” link or provide any credentials.

The email presents itself as a “TEAMS MEMO” and claims that a document has been sent for review and signature. When the embedded link is clicked, users are redirected to a fraudulent website that mimics the Microsoft login page. This page is designed to harvest usernames, passwords, and potentially multi-factor authentication (MFA) codes. This activity is consistent with credential harvesting campaigns targeting Microsoft 365 accounts.

A close inspection of the email reveals several red flags:

• Suspicious subject line usage – The subject “Re: HR Documents, Pending completion approval” is crafted to create urgency and appear as part of an existing HR thread, even if no prior conversation exists.
• Impersonation of Microsoft Teams / e-signature workflow – The message uses “TEAMS MEMO” and “Signature Completion Request” language, which is not consistent with legitimate Microsoft Teams or approved document signing services.
• Suspicious link behavior – The “Review Document” link redirects to a non-Microsoft domain hosting a fake login page.
• Unexpected document request – The message references a document (“Q2 AP/AR585676”) without prior context, which is a common phishing lure.
• Generic or mismatched sender information – The email references “cresst.org,” which may be spoofed or unrelated to the expected sender.
• Sense of urgency and business context – Phrases like “Pending completion approval” are used to prompt immediate action without verification.

If you clicked the link or entered your credentials, contact the Information Security Office immediately so protective measures can be taken.

How to Report a Phishing Scam

The UCLA Information Security Office requests that campus users report phishing messages to our team so that we can proactively alert campus users and bring awareness to widespread phishing campaigns. In order for the Information Security Office to take action in response to a reported phishing message, please follow these steps:

1. Please follow instructions on How to Report a Phishing Scam
2. Send the resulting message and attachment to security@ucla.edu(link sends email) with a subject line identifying the message as a phishing report.

It is important to be aware of fraudulent phishing schemes. Check back here as we update the list below with known phishing attempts.