In December 2021, a new trend in phishing attempts developed, with criminal actors leveraging Google Docs’ commenting capability to send emails that appeared trustworthy.
Because Google Docs is utilized by many workers who work or collaborate remotely, the majority of those who get these emails are aware of the notifications.
Because Google is “tricked” into sending these emails, the chances of email security technologies flagging them as potentially dangerous are almost negligible.
The tactic has actually been under restricted exploitation since October of last year, and while Google has attempted to alleviate the issue, it has yet to be totally closed down.
This current campaign is gaining traction and is being closely tracked by Avanan threat experts, who shared their findings with Bleeping Computer before they were published.
How does the attack work?
Hackers create a Google document with their Google account, then comment on it with a @ to name the target.
Google then sends an email to the target’s mailbox alerting them that another user has commented on and mentioned a paper.
The email comment could include dangerous links that lead to the removal of web pages or malware phishing sites. As a result, there is plainly no verification or screening process in place.
Second, the email address of the threat author is not provided in the notification, and the recipient simply sees a name. This makes identity theft relatively easy while also increasing actors’ chances of success.
The same technique works on Google Slide comments, and Avanan claims to have seen actors use it on numerous aspects of the Google Workspace service.
To make matters worse, attackers do not need to share the paper with their targets because simply naming them is sufficient to send harmful notifications.
Nature’s assaults and countermeasures
According to Avanan, the threat actors behind these attacks appear to favor Outlook users, but they are not the only ones.
This continuing spear-phishing attack, which employs over 100 Google accounts, has now hit 500 inboxes in 30 firms.
The best way to reduce the risk of this and similar campaigns is to:
- Confirm if the sender’s email address is the same as your colleague’s (or the claimed person)
- Avoid clicking on links embedded in comments that arrive via email.
- On Google Workspace, implement extra security measures that enforce tougher file sharing regulations.
- Use a reliable vendor’s internet security solution that protects against phishing URLs.