Google Docs has become an attack vector for malicious hackers. Avanan, a Check Point company, observed a new, massive wave of hackers leveraging the comment feature in Google Docs, targeting primarily Outlook users.
If you have received an email from Google notifying that someone has mentioned you in a Google Docs comment, be very careful. Attackers exploit the comment section to deliver malicious phishing links to end-users.
Last October, it was reported that hackers could easily send malicious links through comments in Google apps like Docs and Slides. This known vulnerability has not been fully mitigated by Google since then.
Starting in December 2021, Avanan observed a new, massive wave of attackers exploiting the comment feature in Google Docs.
“In this attack, hackers are adding a comment to a Google Doc. The comment mentions the target with an @. By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators,” Avanan said in a recent report.
The company identified the targets as primarily Outlook users, though not exclusively. The attack hit over 500 inboxes across 30 tenants, with hackers using over 100 different Gmail accounts.
The email easily gets through the scanners to the victim’s inbox as it comes directly from Google, which is on most Allow Lists and is trusted by users. Secondly, the email doesn’t contain the attacker’s email address, just the display name. This makes it harder for anti-spam filters to identify, and even harder for the end-user to recognize.
“For example, a hacker can create a free Gmail account, such as
Furthermore, the email contains the full comment, along with links and text. The victim never has to go to the document, as the payload is in the email itself. Finally, the attacker doesn’t even have to share the document – just mentioning the person in the comment is enough.
Avanan notified Google of this flaw on January 3rd, by reporting the resulting phishing via email through Google’s built-in tools.
More from CyberNews:
Subscribe to our newsletter