- Bad actors are using a loophole in Google Docs sharing to send unsuspecting users malicious links in comments, research from Avanan found. The company told Google its latest findings on Jan. 3.
- By signaling a user with "@" in a Google Doc comment, the user will receive an email notification of the mention. The email notification is an automatic response of the Google application and, because only the user's name is shown and not their email address, comments make for an effective impersonation tool.
- Threat actors can insert malicious links in comments across Google Workspace, Avanon found. While Outlook users are the leading targets, Avanon found the activity in more than 500 inboxes across 30 tenants from hackers using more than 100 different Gmail accounts.
Despite the increased use of productivity tools in the enterprise, email remains a favored attack vector for bad actors because credentials for platforms like Slack are less sought-after by cybercriminals. Attackers often initiate attacks from compromised email accounts.
Phishing attacks cost U.S. companies $15 million on average in 2021, a stark rise from the 2015 average of $3.8 million, according to Ponemon Institute. Business email recovery costs almost $6 million a year for companies.
The Google Docs phishing threat does not even require legitimate emails for impersonation — only for targets.
Because comment notifications are sent directly from Google, it's on "most allow lists" for vetting emails, Avanan said. This allows bad actors to bypass traditional scanners, anti-spam filters, and the human instinct to question an email.
Google only alerts users of who mentioned them in a comment, not the email address of that person, so users cannot if the sender came from inside the company.
Avanan illustrated the example with the address "[email protected]." If that user were to send a comment containing a malicious link, the target would only see "Bad Actor mentioned you in a comment," the company said.
"If Bad Actor is a colleague, it will appear trusted," Avanan wrote. "The email contains the full comment, along with links and text. The victim never has to go to the document, as the payload is in the email itself." Bad actors don't even have to share the entire document — the email notification will be sufficient for phishing.
Exploits in Google Docs were uncovered in October 2020, and Shulin Ye in a Gmail Help forum posted guidance for mitigation. Google did not completely rectify the situation from 2020, and bad actors are taking advantage of the false safety alerts from the apps Google provides.
In June, Avanan found bad actors creating webpages resembling a Google Docs sharing page, and uploading them to Google Drive. "Simply insert this link into an email and hit send," the company said. Avanan has since found a "wave" of attackers using email and the productivity tool as vectors via impersonation and phishing, this time with less effort through comment mentions.