According to OSHEAN:
The messages may come from previously compromised employee accounts, making them harder to spot and more likely to be trusted. The message inside simply states that a document has been shared by an employee in the targeted organization. A link is included that leads to a very basic Google site, with the address format of "https[:]//sites.google.com/view/<customtext>/home." The "customtext" could be a variant of the target org's name OR generic text about opening a document. When the "Review" button is selected, a Google Site is displayed with a link to view/download documents.

The button takes users, possibly through a series of redirects, to a fake login page in an attempt to steal the employee's credentials. Note that the text uses a name as the source of the sharing, which varies and may be taken from the rosters of targeted organizations to further enhance authenticity.  User should not enter credentials on these sites - doing so could lead to account compromise. As with any suspicious messages, users should be advised to call senders directly for verification prior to trying to open any links or attachments.   There is no evidence that malicious files are being downloaded as a result of visiting these sites, but of course extreme caution should be taken with any compromised clients and/or user accounts. 

If you receive one of these emails, alert us my forwarding it to phishbowl@brown.edu, then mark it as phishing (open the message in a browser, click on the stack of three dots to the right of the REPLY button and select "Report phishing").