As I have always argued, the only limit to the cybercriminal enterprise is the imagination, and the technique for the spread of phishing and malware that we will shortly describe is proof of this. Researchers from security firm Avanan discovered a singular phishing campaign aimed primarily at Outlook users in December. The element of innovation is represented by the abuse of the comment function of Google Docs to send malicious messages.
Google Docs is Google’s office suite that allows you to create and edit documents online and collaborate with other users in real time. The suite is very popular in the workplace, groups of people can therefore participate in the drafting of documents by interacting through comments that are affixed to portions of text. The attack technique is very simple and effective, the attackers create a Google document using their Google account and add a comment referencing the victim with the “@” character.
At this point an email will be sent to the victim’s mailbox to notify him of the new comment to the document that mentions it. The content of the message includes the accompanying text chosen by the attacker which may contain malicious links.
Note that the email appears as coming from Google and the attacker’s email address and name are not displayed, which causes anti-phishing solutions to consider the message as trustworthy.
“In this attack, hackers add a comment to a Google doc. The comment mentions the target with an @. This way, an email is automatically sent to that person’s inbox. In that email , which comes from Google, the full comment is included, including invalid links and text. Also, the email address is not shown, only the name of the attackers, which makes it ripe for imitators. ” it is read in the analysis published by Avanan.
Notification emails are sent from Google’s infrastructure, which is why security solutions don’t label them as malicious.
The technique also works with other Google suite software that allow comments with Google Slides and other components of the Google Workspace service.
In the phishing campaign monitored by Avanan experts, attackers used Google Docs, and other Google collaboration tools, to send malicious messages to Outlook users from over 100 different Gmail accounts created for the purpose. Of course, compromised Gmail accounts could also be used and target the victim’s network of contacts. The latter scenario could for example be exploited by nation-state actors who intend to carry out the components of a specific community, for example a research team working on a confidential project.
It is important to share information on this technique, especially at a time like this when many companies allow smart working and collaboration tools such as Google Docs facilitate their daily activities.
To avoid being victims of this attack technique, experts recommend:
- Before clicking on Google Docs comments, make sure the email address in the comment is legitimate
- It is a good idea to check that the links do not point to phishing content or untrustworthy sites.
- Pay attention from the grammar of the message content.
- If in doubt, contact the legitimate sender directly and ask if they intended to share a comment or that document.
- Use defense software that can protect the entire suite, including file sharing and collaboration apps