Hackers exploit Google Docs comment feature in new phishing campaign
This is an appealing technique for attackers whose malicious messages are delivered by Google
Attackers are abusing the comment feature in Google Docs to deliver malicious links to unsuspecting users, a new analysis by researchers at Check Point-owned Avanan has revealed.
In a detailed report published on Thursday, the researchers said they had noticed the new phishing campaign last month in which attackers primarily, though not exclusively, targeted Microsoft's email service Outlook.
The campaign hit over 500 inboxes across 30 tenants, with threat actors using over 100 different Gmail accounts.
Google Docs is an online word processor included as part of the web-based Google Docs Editors suite offered by Google, which also includes Google Sheets, Google Slides, Google Drawings and Google Forms.
Google Docs is used by millions of people today to write, edit, collaborate and archive their documents.
In the latest phishing campaign, Avanan researchers found that hackers used their Google account to create a Google Document and then added comments with malicious links using @ mentions.
In this case, Google automatically sends a notification email to the target ' s inbox, telling them that another user has mentioned them in a document.
In these notification emails, the entire comment along with the malicious link and other text (if added by the attacker) is sent to the recipient.
While the notification message does not show the email address of the sender, it displays the attacker's name, making it easy for the attackers to impersonate someone at their organisation. They could use the name of a friend or colleague as the display name to increase the chances of the target clicking on the link.
The same technique works on Google Slide comments too, according to Avanan researchers, who saw attackers leveraging it on various elements of the Google Workspace service.
For attackers, this is an appealing phishing technique as their malicious messages are delivered by Google, which is trusted by users.
Avanan says it has notified Google about the flaw and that hackers are exploiting it in phishing campaigns.
To guard against such attacks, Avanan advises that users:
- avoid clicking on links that arrive through emails and are embedded on comments
- cross-reference the email address in the comment to ensure it is legitimate
- utilise standard cyber hygiene, including scrutinising links and inspecting grammar
- if unsure, contact the legitimate sender and confirm they meant to send that document
- Use a reliable internet security solution that features phishing URL protection
- Deploy additional security protection that secures the entire suite, including file-sharing and collaboration apps
This is not the first time that threat actors have tried to exploit users ' trust in Google's popular productivity suite.
Last year, researchers observed attackers sending links to Google Docs files that contained a malicious download. Users who downloaded the file were tricked into entering their login credentials.