Connect with us

Hi, what are you looking for?


Google Docs commenting feature exploited for spear-phishing

phishing good bad


A new trend in phishing attacks emerged in December 2021, with threat actors abusing the commenting feature of Google Docs to send out emails that appear trustworthy.

Google Docs is used by many employees working or collaborating remotely, so most recipients of these emails are familiar with these notifications.

Since Google itself is being “tricked” into sending out these emails, the chances of email security tools tagging them as potentially risky are practically zero.

The trick has actually been under limited exploitation since October last year, and while Google has attempted to mitigate the issue, they haven’t fully closed the vulnerability yet.

This recent campaign is blowing up in proportions and is being monitored actively by threat analysts at Avanan, who shared their report with Bleeping Computer prior to publication.

How the attack works

Hackers use their Google account to create a Google Document and then comment it to mention the target with an @.

Google then sends a notification email to the target’s inbox, informing them that another user has commented on a document and mentioned them.

Advertisement. Scroll to continue reading.
Risky email generated and sent by Google
Risky email generated and sent by Google
Source: Avanan

The comment on the email can carry malicious links that lead to malware dropping web pages or phishing sites, so there are clearly no checking/filtering mechanisms in place.

Secondly, the threat actor’s email isn’t shown in the notification, and the recipient only sees a name. This makes impersonation very easy, and simultaneously raises the chances of success for the actors.

Leveraging the same technique on Google Slides
Leveraging the same technique on Google Slides
Source: Avanan

The same technique works on Google Slide comments too, and Avanan reports having seen actors leveraging it on various elements of the Google Workspace service.

To make things worse, attackers don’t have to share the document with their targets since mentioning them is enough to send malicious notifications.

Attacks in the wild and protection measures

According to Avanan, the threat actors behind these attacks appear to favor Outlook users, but the target demographic is not limited to them.

This ongoing spear-phishing campaign uses over 100 Google accounts and has already hit 500 inboxes across 30 organizations.

The only way to mitigate the risk of this and similar campaigns is to:

  • Confirm that the sender email matches your colleague’s (or claimed person)
  • Avoid clicking on links that arrive via email and are embedded on comments
  • Deploy additional security measures that apply stricter file-sharing rules on Google Workspace
  • Use an internet security solution from a trustworthy vendor that features phishing URL protection

Source link

Click to comment

Leave a Reply



The power of TikTok was on full display this week after a Houston woman went viral for rescuing a puppy discovered hidden in piles...

Online Business Success

A pump is seen at a gas station in Manhattan, New York City, US, on August 11, 2022. — Reuters Brent crude futures were...


Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here. Can AI-driven fitness...

Social Media

Messaging has become an increasingly important connective tool for many businesses and consumers, with more than 20 billion messages now sent between people and...

Top Stories

The Bank of Russia continues working towards the upcoming adoption of the central bank digital currency (CBDC), planning an official digital ruble rollout in...


Christina Pushaw, Gov. Ron DeSantis’ Press Secretary, departed the administrative Friday to join the Republican Governor’s re-election campaign. The Florida Standard, a conservative new media...


You May Also Like


Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...