Researchers from security firm Avanan uncovered in December 2020 a phishing campaign with a new technique that abuses the commenting feature of Google Docs to send out malicious emails. Google Docs is used by many users working or collaborating remotely, so most recipients of these emails are familiar with these Google notifications.
Hackers use their Google account to create a Google Document, and then add a comment to it, mentioning the target with an @. Google then sends an email notification to the target’s inbox, informing them that another user has commented on a document and mentioned them. The comment on the email notification can contain malicious links that lead to a malicious or phishing web site. The phishing emails bypass email security checkpoints, because they are coming from a trusted source, Google. To make matters worse, the hackers’ email address isn’t shown in the email notification, and the recipient only sees a name. This makes impersonation very easy, and raises the chances of success for the hackers.
The researchers reported the same outcome when attempting to exploit Google Slides, Google Suite’s presentation app.
What users can do:
- Avoid clicking on links that arrive via email and are embedded on comments
- Confirm that the sender’s email address matches your colleague’s (or claimed person)
- If unsure, reach out to the sender and confirm they meant to send that document
- Deploy additional security measures that apply stricter file sharing rules on Google Suite
Read more about it here.