A wave of phishing attacks identified in December targeting mainly Outlook users are difficult for both email scanners and victims to flag, researchers said.

Attackers are using the “Comments” feature of Google Docs to send malicious links in a phishing campaign targeted primarily at Outlook users, researchers have discovered.

Researchers from email collaboration and security firm Avanan, a CheckPoint company, first observed “a new, massive wave of hackers leveraging the comment feature in Google Docs” in December, Avanan Cybersecurity Researcher/Analyst Jeremy Fuchs wrote in a report published Thursday.

Avanan first identified that the Comments feature of Google Docs, Sheets and Slides could be exploited to send spam emails in October, but so far Google has not responded to the issue, Fuchs wrote.

Infosec Insiders Newsletter

“This known vulnerability has not been fully closed or mitigated by Google since then,” he wrote in the report.

So far, attackers have hit more than 500 inboxes across 30 tenants from more than 100 different Gmail accounts by exploiting the feature of Google’s cloud-based word processing app, according to the report.

Attackers target users of Google Docs by adding a comment to a document that mentions the targeted user with an “@,” which automatically sends an email to that person’s inbox. That email, which comes from Google, includes text as well as the malicious links, Fuchs said.

An example using the same method to exploit Google Slides, the suite’s presentation app, is included in the report.

Evading Detections

There are a number of reasons it’s hard for victims to recognize that the email sent to them after being tagged in Comments is malicious, Fuchs noted. For one, the email address of the sender isn’t shown – just the name of the attacker – which allows bad actors to impersonate legitimate entities to target victims, Fuchs observed.

It also “makes it harder for anti-spam filters to judge, and even harder for the end-user to recognize,” he wrote.

“For example, a hacker can create a free Gmail account, such as ,” Fuchs explained. “They can then create a Google Doc and send it to their intended target.”

The malicious intent of the Comments mention is difficult to detect because the end user will have no idea whether the comment came from or , he noted.

“It will just say ‘Bad Actor’ mentioned you in a comment in the following document,” Fuchs wrote. “If Bad Actor is a colleague, it will appear trusted.”

The email also contains the full comment, along with links and text, which means the victim never has to go to the document, as the payload is in the email itself.

“Finally, the attacker doesn’t even have to share the document – just mentioning the person in the comment is enough,” Fuchs wrote.

Typical protections won’t flag the emails because the notification comes directly from Google, which “is on most ‘Allow Lists’ and is trusted by users,” Fuchs wrote. Indeed, he said Advanced Threat Protection missed the attack vector in its scan.

Google Docs as Attack Surface

The campaign appears to signify a ramp up in attacks to exploit the Comments feature of Google’s collaboration apps for malicious intent – attacks that likely will continue if left unchecked, researchers said.

June was the first time Avanan researchers identified threat actors hosting phishing attacks from within Google Docs, delivering malicious links aimed at stealing victims’ credentials. At the time, they identified it as a novel exploit of the app.

Then, in October, as previously mentioned, researchers identified threat actors exploiting the Comments feature for the first time, followed by December’s flurry of attacks, which were reported to Google on Jan. 3 “using the resulting phishing via email through Google’s built-in tools,” Fuchs wrote.

Avanan recommends that users cross-reference the email address in the comment to ensure it’s legitimate before clicking on a Google Docs comment. They also recommend standard “cyber hygiene” when reviewing comments, including scrutinizing links and inspecting grammar, according to the report.

“If unsure, reach out to the legitimate sender and confirm they meant to send that,” Fuchs advised.

Security professionals can guard against the attacks by deploying security protection that secures the entire suite, including file-sharing and collaboration apps, he added.

Password Reset: On-Demand Event: Fortify 2022 with a password security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & Stream this FREE session today – sponsored by Specops Software.