Google Docs Comments Weaponized in New Phishing Campaign

  /     /     /  
Publicated : 23/11/2024   Category : security


Google Docs Comments Weaponized in New Phishing Campaign


Attackers use the comment feature in Google Docs to email victims and lure them into clicking malicious links.



The operators behind a recent phishing campaign are exploiting the commenting feature in Google Docs to send seemingly legitimate emails that convince targets to click malicious links.
This isnt the first time threat actors have found ways to exploit user trust in Googles popular productivity suite, report the Avanan researchers who discovered this campaign. Earlier this year, they observed
attackers sending links
to Google Docs files that contained a malicious download. Victims who downloaded the file were tricked into entering their login credentials.
The latest threat uses a different method that was
documented
in 2020 attacks. Starting in December, Avanan saw attackers using the Google Docs commenting feature in a phishing campaign that primarily, though not exclusively, targets Outlook users. The attack hit at least 500 inboxes across 30 tenants, with operators using more than 100 unique Gmail accounts.
To carry out this attack, the threat actor creates a Google Docs document and adds a comment containing a malicious link. They add the victim to the comment using @. This action automatically sends the target an email with a link to the Google Docs file. The email displays the full comment, including the bad links and other text added by the attacker.
Its an appealing technique for phishers because this email notification comes directly from Google, which is generally trusted among users and on most Allow lists, so its likely to land in victims inboxes. Further, the email doesnt contain the attackers email address — only their display name. This makes it tougher for victims and anti-spam filters to recognize an attack.
An attacker can easily create a free Gmail account and set up a Google Doc, insert a comment, and send it to their intended target. Because the recipient wont see the senders email address, the attacker could use the name of a colleague or friend as the display name and increase the likelihood the target will click. An attacker can use this technique to deliver malware, steal credentials, or take other actions, depending on their motivations.
No Need for G Doc Access
Its worth noting that the victim doesnt have to access a document for the attack to work as the notification email contains the malicious link, Avanan researchers report in a
blog post
. The attacker also doesnt have to share the file with them; simply mentioning the target in a comment is sufficient.
The December campaign used Google Docs commenting in its phishing attacks; however, the team says this technique works in Google Slides as well. Avanan notified Google of their findings on Jan. 3.
To protect against this technique, security pros are encouraged to advise employees to confirm the senders email matches that of the person theyre claiming to be. If theyre unsure, they should reach out to the sender and ensure they meant to send the comment.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Google Docs Comments Weaponized in New Phishing Campaign