Google Docs has become an attack vector for malicious hackers. Avanan, a Check Point company, observed a new, massive wave of hackers leveraging the comment feature in Google Docs, targeting primarily Outlook users.

If you have received an email from Google notifying that someone has mentioned you in a Google Docs comment, be very careful. Attackers exploit the comment section to deliver malicious phishing links to end-users.

Last October, it was reported that hackers could easily send malicious links through comments in Google apps like Docs and Slides. This known vulnerability has not been fully mitigated by Google since then.

Starting in December 2021, Avanan observed a new, massive wave of attackers exploiting the comment feature in Google Docs.

In this attack, hackers are adding a comment to a Google Doc. The comment mentions the target with an @. By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators,” Avanan said in a recent report.

The company identified the targets as primarily Outlook users, though not exclusively. The attack hit over 500 inboxes across 30 tenants, with hackers using over 100 different Gmail accounts.

The email easily gets through the scanners to the victim’s inbox as it comes directly from Google, which is on most Allow Lists and is trusted by users. Secondly, the email doesn’t contain the attacker’s email address, just the display name. This makes it harder for anti-spam filters to identify, and even harder for the end-user to recognize.

“For example, a hacker can create a free Gmail account, such as . They can then create a Google Doc and send it to their intended target. For this example, let’s say the intended target has a work address of . The end-user will have no idea whether the comment came from or . It will just say “Bad Actor” mentioned you in a comment in the following document. If Bad Actor is a colleague, it will appear trusted,” Avanan detailed.

Furthermore, the email contains the full comment, along with links and text. The victim never has to go to the document, as the payload is in the email itself. Finally, the attacker doesn’t even have to share the document – just mentioning the person in the comment is enough.

Avanan notified Google of this flaw on January 3rd, by reporting the resulting phishing via email through Google’s built-in tools.


More from CyberNews:

Space security in 2022: expect a hacked satellite

Best VPNs for Kazakhstan in 2022

Broward Health hit with a data breach affecting 1.3 million staff and patients

CyberNews’ TOP 10 interviews of 2021

8 cybersecurity trends to watch for 2022: From extortion to satellite attacks

Cloud security in 2022: stormy horizons, shaken trust, and lack of talent’

Subscribe to our newsletter