International security researchers have just observed a growing trend related to a new phishing attack related to the Google Docs platform, which started appearing around the end of December 2021. There, attackers attempted to abuse the Google Docs document comments feature to distribute phishing links that were designed to be extremely sophisticated and look trustworthy.
Get Google Docs
Google Docs is now increasingly used around the world, especially for those who often work or collaborate remotely thanks to its flexible backup, sync, and online collaboration capabilities. In which, commenting is an important online interaction feature with people who are collaborating on a document. Therefore, it is not difficult for hackers to take advantage of it to perform malicious acts.
Since Google itself is being “fooled” by these malicious emails, the chances of email security tools tagging the potential threat are practically zero. This trick has in fact been in limited use by hackers since October last year. And while Google is working to mitigate the problem, the flaw has not really been fully fixed yet.
The hacker will use his Google account to create a public Google Docs document, then leave a comment mentioning the target with an @ sign.
Next, Google will send an email notification to the respective inbox of the target mentioned by the hacker in the comment. This email notifies the victim that a user has mentioned them in a Google Docs document, and can access the link attached in the email to read the comment. The common psychology of most users will be to click access to see the content they are mentioned.
Comments on emails may include links to malware, or elaborately designed phishing websites. Obviously there isn’t any Google filtering/checking mechanism that can be applied in this case.
In addition, the malicious actor’s email is not displayed in the message, and the recipient only sees the name. This makes impersonation very easy and increases the hacker’s chances of success.
Worse, attackers don’t need to share documents with their targets, as simply mentioning the victim is enough to send malicious messages.
The same technique works on comments in Google Slides, and even in the Google Workspace service.
According to security experts, the only way to reduce the risk of this type of attack, as well as similar campaigns, is to adhere to the following security notes:
- Confirm that the sender’s email matches someone you already know (or have verified).
- Avoid clicking on links that come via email and are embedded in comments.
- Implement additional security measures that apply stricter file sharing rules across Google Workspace.
- Use an internet security solution from a trusted provider that features phishing URL protection.