Cyber criminals are using the “Comments” feature of Google Docs to send malicious links in a phishing campaign targeted primarily at Outlook users, researchers have discovered.
Researchers first observed “a new, massive wave of hackers leveraging the comment feature in Google Docs” in December. They first identified that the Comments feature of Google Docs, Sheets and Slides could be exploited to send spam emails in October, but so far Google has not responded to the issue.
So far, more than 500 inboxes across 30 tenants from more than 100 different Gmail accounts have been hit. Attackers target users of Google Docs by adding a comment to a document that mentions the targeted user with an “@”. This sends an email to that person’s inbox automatically. The email, which comes from Google, includes text as well as the malicious links.
There are a number of reasons why it is hard for victims to recognise that the email sent to them after being tagged in “Comments” is malicious. For one, the email address of the sender isn’t shown – just the name of the attacker – which allows bad actors to impersonate legitimate entities to target victims. As well as this is also makes it harder for anti-spam filters to judge, and even harder for the end-user to recognise.
Researchers said: “For example, a hacker can create a free Gmail account, such as <firstname.lastname@example.org>. They can then create a Google Doc and send it to their intended target.”
The malicious intent of the Comments mention is difficult to detect because the end user will have no idea whether the comment came from <email@example.com> or <firstname.lastname@example.org>. The email also contains the full comment, along with links and text. This means the victim never has to go to the document – this is because the payload is in the email itself.
Typical protections won’t flag the emails because the notification comes directly from Google, which “is on most ‘Allow Lists’ and is trusted by users. The campaign looks to be a sign of an uptrend in attacks that exploit the Comments feature of Google’s collaboration apps for malicious intent.
In June 2021, researchers identified threat actors hosting phishing attacks from within Google Docs. These delivered malicious links aimed at stealing victims’ credentials. At the time, they identified it as a novel exploit of the app. Then, in October, as previously mentioned, researchers identified threat actors exploiting the Comments feature for the first time. This was then followed by December’s flurry of attacks.
We recommend that users cross-reference the email address in the comment to ensure it’s legitimate before clicking on a Google Docs comment. As well as this it is important to use standard “cyber hygiene” when reviewing comments, including scrutinising links and inspecting grammar. And, finally, if you’re still unsure, contact the legitimate sender and double check that they meant to send the email.
Administrators can guard against the cyber attacks by deploying security protection that secures the entire suite, including file-sharing and collaboration apps.