In December 2021, a new pattern in phishing attacks developed, with threat actors leveraging the Google Docs commenting function to send out emails that appeared trustworthy. Because many workers working or collaborating remotely use Google Docs, most of the receivers of these emails are familiar with these messages.
As Google is being “tricked” into sending these emails, the odds of their being flagged as potentially dangerous are essentially nil. The method has been under restricted exploitation since October of last year, and while Google has moved to reduce the problem, it has not yet been closed. This current effort is gaining traction and is being closely studied by threat experts at Avanan, according to their report.
Hackers create a Google Document with their Google account and then remark it with a @ to indicate the target. The target then receives an email message from Google telling them that another user has commented on a document and mentioned them. There are no checking/filtering procedures because the email comment might contain harmful links that lead to malware-dropping web pages or phishing sites.
Second, the threat actor’s email address is not displayed in the warning, leaving the receiver with only a name to go on. This makes imitation incredibly simple and increases the performers’ chances of success.
The same approach may be used on Google Slide comments, and Avanan claims to have witnessed actors using it on several Google Workspace features. To make matters worse, attackers don’t even need to share the document with their targets because simply referencing them triggers harmful alerts.