Google Docs comment feature abused in phishing campaign

Experts warn of a new phishing technique that abuses the commenting feature of Google Docs to send out emails that appear from a legitimate source.

Researchers from security firm Avanan in December uncovered a phishing campaign targeting mainly Outlook users with a new technique that abuses the commenting feature of Google Docs to send out malicious messages.

The attack chain is very simple, attackers create a Google Document using their Google account. Threat actors added a comment to a Google Doc that refers to the target with an ‘@’ to automatically send a message that comes from Google. The content of the comment includes the malicious links while the email address and the attackers’ name aren’t shown. 

Google sends a notification email to the target’s inbox to notify it of the new comment on the document that mentioned them.

“In this attack, hackers are adding a comment to a Google Doc. The comment mentions the target with an @. By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators.” reads the analysis published by Avanan.

The emails are sent out from Google infrastructure, for this reason, security solutions do not label them as malicious.

The technique also with Google Slide and other components of the Google Workspace service.

In the phishing campaign tracked by the experts, threat actors leveraged Google Docs and other Google collaboration tools, to target over Outlook users across 30 tenants. The attackers used over 100 different Gmail accounts. 

To avoid being victims of this phishing technique experts recommend:

• Before clicking on Google Docs comments, encourage end-users to cross-reference the email address in the comment to ensure it’s legitimate
• Remind end-users to utilize standard cyber hygiene, including scrutinizing links and inspecting grammar
• If unsure, reach out to the legitimate sender and confirm they meant to send that document
• Deploy protection that secures the entire suite, including file-sharing and collaboration apps

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]