Researchers warn of spear-phishing exploit in Google Docs

News
By published

Hackers have found a way to use Google's comment function to dupe victims into clicking on malicious links

Google apps, including Gmail, Google Drive, and YouTube, displayed on a smartphone

Threat actors have found an exploit in a Google Docs comment feature that uses Google's own automated email notification function to send malicious links.

Email security specialists Avanan said it had notified Google of the flaw on 3 January after noticing a spike in usage over December 2021.

What is phishing? Justice Department seizes domains used in USAID spear-phishing attacks Microsoft webmail targeted by spear phishing attacks

The attack involves hackers using their own Google accounts to create a Google Doc, to which they simply invite a target using the comments section with the '@' function. This automatically sends a notification email to the intended target's inbox, informing them that another user has commented on a document and mentioned them. The email is from Google, and so it is difficult to tell whether the message is malicious.

However, the comment on the email can be loaded with a malicious link for phishing sites or malware, and there appears to be no filtering mechanisms in place, according to Avanan. What's more, the hackers email address isn't shown in the notification; the recipient will only see a name, making it very easy to impersonate a victim's colleagues or friends.

The exploit is very simple to execute and has been available since the Autumn of 2020. Google has attempted to mitigate the problem but are yet to fully close it off, partly due to the fact it requires its own email service to work.

An example of the spear phishing exploit on Google Docs

Attackers also aren't required to share the document with their targets, as simply messaging them is enough to trigger the email alert. Avanan suggests that the same techniques work on Google Slides and other collaboration tools within the Google's Workspace suite.

Outlook users appear to be the favoured targets, according to Avanan, but it's believed the exploit has used over 100 Google accounts and has already attacked 500 inboxes across 30 different organisations.

To protect yourself, and your organisation, Avanan recommends avoiding clicking on links in emails, deploying stricter file-sharing rules across Google Workspace, and using an Internet security service from a trusted vendor, particularly one that features phishing URL protection.

Bobby Hellard
Bobby Hellard

Bobby Hellard is ITPro's Reviews Editor and has worked on CloudPro and ChannelPro since 2018. In his time at ITPro, Bobby has covered stories for all the major technology companies, such as Apple, Microsoft, Amazon and Facebook, and regularly attends industry-leading events such as AWS Re:Invent and Google Cloud Next.

Bobby mainly covers hardware reviews, but you will also recognize him as the face of many of our video reviews of laptops and smartphones.

An abstract image showing blocks of blue shiny material overlaid on one another to represent LQMs and AI.

What are large quantitative models (LQMs)?
Red Ubuntu logo appearing on a web browser with a microscope over the logo, placing emphasis on it

Qualys discovers three bypasses of Ubuntu's unprivileged user namespace restrictions
A surreal, CGI image showing a single worker in cubicle surrounded by many empty cubicles, to represent loneliness in business. The scene is shot from an isometric perspective.

Tackling loneliness in tech businesses
See more latest
Most Popular
Red Ubuntu logo appearing on a web browser with a microscope over the logo, placing emphasis on it
Qualys discovers three bypasses of Ubuntu's unprivileged user namespace restrictions
Gold lock floating above a digitally rendered motherboard with blue and red glowing hues, denoting ransomware
Security researchers hack BlackLock ransomware gang in push back against rising threat actor
A busy customer service desk
Omnissa eyes growth with revamped partner program
Female software developer using AI coding tools on a desktop computer with light from screen reflecting in spectacles.
Developers spend 17 hours a week on security — but don't consider it a top priority
A close-up of a digital dashboard showing stock market graphs overlaid onto a world map.
Financial services firms look to AI to improve resilience
Male software engineer working on a laptop at a home office desk with two PC monitors sitting on top of desk.
‘This shift highlights not just a continuation but a broad acceptance of remote work as the norm’: Software engineers are sticking with remote work and refusing to budge on RTO mandates – and 21% would quit if forced back to the office
Ransomware concept image showing a warning symbol in red with binary code in background.
Healthcare systems are rife with exploits — and ransomware gangs have noticed
Application security concept image showing a digitized padlock placed upon a digital platform.
ESET looks to ‘empower’ partners with cybersecurity portfolio updates
Databricks logo and branding pictured on a MacBook Pro screen.
Databricks and Anthropic are teaming up on agentic AI development – here’s what it means for customers
Dell Technologies logo and branding pictured at the company's stall at Mobile World Congress (MWC) in Barcelona, Spain.
Scale of Dell job cuts laid bare as firm sheds 10% of staff in a year