It looked like a Citrix ShareFile phishing attack, but wasn’t

Bob Covello

It looked like a Citrix ShareFile phishing attack, but wasn't

It looked like a Citrix ShareFile phishing attack, but wasn't

Guest contributor Bob Covello isn’t happy about a password reset email that Citrix has been sending its customers.


Over the last few days, many people received an email from Citrix Systems, requesting them to change their passwords. Many wondered if this was the result of a breach. I wondered what they were thinking when they sent these messages.

Here is a screenshot of the email Citrix ShareFile users received:

Sharefile email

There has been a constant increase in internet-account credential (usernames and passwords) theft. Those same credentials are often used to access other accounts. In response to this, we are requiring a password reset and will be incorporating a regularly-scheduled, forced password reset into our normal operating procedures. Users will need to reset their passwords when logging into ShareFlle. We believe this is an important step to continue to help our customers use our solutions securely.

To reset your password, please click here.

For help about how to reset your password, please click here.

Most people who contacted me wanted to know if this was a phishing scam. My immediate response was “of course it is!” Everything about this message violates everything we teach about security:

  • The message arrived unsolicited;
  • The message is very generic;
  • The message contains links.

The only thing missing from the message is an urgent warning and a threat. In the land of notifications, Citrix certainly got it wrong.

To get it right, all that Citrix needed to do was to stop after the sentence that reads “Users will need to reset their passwords when logging into ShareFile.” This would force a person to go to the Citrix ShareFile site on their own to reset the password.

Citrix posted a blog about the password reset on their site, but it was a bit late.

As always, please do not click on links in unsolicited messages. Visit the site directly to update your information.

Bob Covello Bob Covello (@BobCovello) is a 20-year technology veteran and InfoSec analyst with a passion for security topics. He is also a volunteer for various organizations focused on advocating for and advising others about staying safe and secure online.

4 Replies to “It looked like a Citrix ShareFile phishing attack, but wasn’t”

  1. I use this service in my day to day job, its been a nightmare. I use their sync application which even with a password reset wont allow the application to log back in. Shambles indeed.

  2. It does look phishy but does it really matter. Either users think it's a phish and reset via the website anyway or they use the link and it works fine. No danger either way?

    Or is it a problem because it could condition users to expect and trust emails like this when really we should teach that all emails like this are phishes?

    1. Brad:
      Yes, all messages that exhibit the characteristics of the Citrix message must be treated as a Phish. For example, all of the credential theft scams operate using those same methods.
      Thanks.

  3. I received that email from ShareFile Support and I've never ever used, installed or even heard of Citrix ShareFile before. How would they have gotten my email address to send this message to when I'm not a registered user?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES