Google Docs Commenting Feature Used For Spear Phishing Attacks

A new spear phishing attack vector emerged in December 2021, which saw hackers abusing the commenting feature of Google Docs to send emails that appear trustworthy.

Google Docs is widely used by employees collaborating or remotely working, so recipients of said emails are familiar with these notifications.

Googles’ own security systems are being tricked into sending emails, it is very unlikely for email security to flag the incoming Google emails.

It is believed the spear phishing attacks have been on-going since at least October of last year. Google has taken steps to mitigate the issue, but are not fully covered yet.

The spear phishing campaign has become more popular in recent weeks amongst hackers, and is being monitored by threat analysts at Avanan, who have shared their report with other researchers.

According to Avanan, hackers use their Google account to create a Google Document and then comment it to mention the target with an @.

Google then sends a notification email to the target’s inbox, informing them that another user has commented on a document and mentioned them.

Screenshot 2022 01 06 at 15.49.54

The comment on the email can carry malicious links that lead to malware dropping web pages or phishing sites, so there are clearly no checking/filtering mechanisms in place.

Secondly, the threat actor’s email isn’t shown in the notification, and the recipient only sees a name. This makes impersonation very easy, and simultaneously raises the chances of success for the actors.

Screenshot 2022 01 06 at 15.50.08

The same technique works on Google Slide comments too, and Avanan reports having seen actors leveraging it on various elements of the Google Workspace service.

To make things worse, attackers don’t have to share the document with their targets since mentioning them is enough to send malicious notifications.

According to Avanan, the threat actors behind these attacks appear to favor Outlook users, but the target demographic is not limited to them.

This ongoing spear-phishing campaign uses over 100 Google accounts and has already hit 500 inboxes across 30 organizations.

The only way to mitigate the risk of this and similar campaigns is to:

  • Confirm that the sender email matches your colleague’s (or claimed person)
  • Avoid clicking on links that arrive via email and are embedded on comments
  • Deploy additional security measures that apply stricter file-sharing rules on Google Workspace
  • Use an internet security solution from a trustworthy vendor that features phishing URL protection

Protection Against Spear Phishing

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *