Avanan researchers discovered that threat actors are increasingly abusing the productivity feature of Google Docs to spread malicious links. This time, attackers are weaponizing the comment feature in Google Docs, as well as Google Slides and Google Sheets.

Diving into details

The attacks commenced in December 2021, wherein a huge wave of attackers started leveraging the comment feature. The attacks were mostly aimed at Outlook users. The attack starts with the hacker adding a comment to a Google Doc, which mentions the target with an @. This ensures that the email, including the bad links and texts in the entire comment, is sent directly to the target’s inbox. Moreover, the email doesn’t display the attacker’s email address, only their name. The hackers used 100 unique Gmail accounts to target 500 inboxes across 30 tenants.

Why this matters

  • The email feature in Google Docs makes it challenging for scanners to stop the attack as the emails are from Google. 
  • Anti-spam filters are not of much use as the email doesn’t contain the attacker’s email address. 
  • Furthermore, since the email displays the entire comment, the victim never has to open the document. The payload is present in the email. 
  • The attacker does not even have to share the document; all they need to do is mention the target in the comment. 

Google Docs as attack vector

Researchers have stated that, if unchecked, these attacks will continue.
  • Avanan researchers detected hackers leveraging Google Docs for malicious intents, for the first time, in June 2021. The attackers aimed to collect credentials.
  • Later the same year in October, threat actors were found abusing the comment feature for the first time, followed by mass attacks in December.

The bottom line

It is recommended that users validate the email addresses in any comment to make sure that it’s legit before clicking on a comment. Moreover, practicing basic cyber hygiene is a must. Last but not least, be cautious about clicking on suspicious links.

Cyware Publisher