Google Docs comment feature abused in phishing campaign

Experts warn of a new phishing technique that abuses the commenting feature of Google Docs to send out emails that appear from a legitimate source.

Researchers from security firm Avanan in December uncovered a phishing campaign targeting mainly Outlook users with a new technique that abuses the commenting feature of Google Docs to send out malicious messages.

The attack chain is very simple, attackers create a Google Document using their Google account. Threat actors added a comment to a Google Doc that refers to the target with an ‘@’ to automatically send a message that comes from Google. The content of the comment includes the malicious links while the email address and the attackers’ name aren’t shown.

Google sends a notification email to the target’s inbox to notify it of the new comment on the document that mentioned them.

“In this attack, hackers are adding a comment to a Google Doc. The comment mentions the target with an @. By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators.” reads the analysis published by Avanan.

The emails are sent out from Google infrastructure, for this reason, security solutions do not label them as malicious.

The technique also with Google Slide and other components of the Google Workspace service.

In the phishing campaign tracked by the experts, threat actors leveraged Google Docs and other Google collaboration tools, to target over Outlook users across 30 tenants. The attackers used over 100 different Gmail accounts.

To avoid being victims of this phishing technique experts recommend:

Before clicking on Google Docs comments, encourage end-users to cross-reference the email address in the comment to ensure it’s legitimate
Remind end-users to utilize standard cyber hygiene, including scrutinizing links and inspecting grammar
If unsure, reach out to the legitimate sender and confirm they meant to send that document
Deploy protection that secures the entire suite, including file-sharing and collaboration apps

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.