We have come across a very convincing message from a legitimate mail account using the WeTransfer platform to share a file that simply contains web code that will redirect the user to a hosted webpage on Google docs. The page on google docs was down by the time we came to look at it (we expect it had been reported already), but expect it contained a fake login page for an online cloud platform (Google, Apple or Office 365). The fact that the email came from a legitimate email user and received by a recipient that would exist in their mailbox suggest that this person’s account had been compromised and was being used to acquire more login credentials.
If you aren’t expecting documents from somebody via WeTransfer and something appears out of the blue, please always check with the sender first before opening it, especially if it involves a financial transaction. A quick call in advance can save a lot of bother down the line.