Hackers exploit Google Docs in new phishing campaign

Attackers are taking advantage of the comment feature in Google Docs to send people emails with malicious links, says Avanan.

phishing-via-internet-vector-illustration-fishing-by-email-spoofing-vector-id665837286.jpg

Image: GrafVishenka, Getty Images/iStockPhotos

One of the favorite tactics of cybercriminals is to exploit legitimate products for illegitimate purposes. And the more popular the product, the greater the chances of success. A new report released Thursday by email security provider Avanan looks at a new phishing campaign that abuses a popular feature in Google Docs to deploy malicious emails.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)  

To help people collaborate on the same documents, Google Docs offers a comment feature. When adding a comment to a document, you can include the email address of a person to whom you want to assign a related task. That action then triggers an email to the assigned person.

In this particularly devious campaign, the attackers add a comment to a Google document and then mention the target by typing the @ symbol followed by an email address. The full comment, however, includes a malicious link that will trigger a malware infection if activated through the sent email.

Discovered by Avanan in December 2021, the attacks have primarily hit Microsoft Outlook users but have also affected recipients on other email platforms. So far, more than 500 inboxes have been targeted across 30 different organizations with the hackers using more than 100 different Gmail accounts.

This type of phishing campaign can sneak past traditional security defenses and careful scrutiny for a few key reasons.

First, the email itself comes from a legitimate Google service, so it's likely to evade detection and be trusted by users at first glance.

Second, the email includes just the attacker's display name and not their email address, which means anti-spam filters may fail to catch it. And since the hacker can spoof the name of a trusted colleague or contact, the recipient might more easily fall for the scam.

Third, the victim doesn't even have to access the document as the malicious payload is contained solely in the email. The attacker need not even share the document, as simply mentioning the recipient's email address in the comment will do the trick.

Avanan said that it informed Google about this exploit on January 3 through the Report Phish Through Email button in Gmail. However, users still need to be on the lookout for this attack. To help people protect themselves from this scam, Avanan offers the following tips:

  1. Before you click on a Google Docs comment in an email, cross-reference the email address in the comment itself to make sure it's legitimate.
  2. Keep in mind the usual cyber hygiene habits, such as scrutinizing links and scanning for grammatical errors.
  3. If you're wary of a particular Google Docs comment email, contact the actual sender to see if they sent you the comment.
  4. Make sure you and your organization use strong security protection, particularly across file sharing and collaboration services.

Also see