Threat actors are increasingly abusing the productivity feature of Google Docs to spread malicious links, according to Avanan researchers. The comment feature in Google Docs, as well as Google Slides and Google Sheets, is being weaponized by the attackers this time.
The attacks began in December 2021, when a large number of attackers began to use the comments feature. The majority of the attacks targeted Outlook users. The hacker begins the attack by making a comment on a Google Doc that includes a @ sign and mentions the target. This ensures that the email is delivered to the target’s inbox, complete with all of the malicious links and texts in the entire comment. Furthermore, the attacker’s email address is not displayed in the email, simply their name is displayed. The hackers targeted 500 inboxes across 30 tenants using 100 different Gmail accounts.
As the emails are from Google, the email feature in Google Docs makes it difficult for scanners to detect and stop the attacks.
Furthermore, the victim is never required to open the document because the email displays the complete comment. The email contains the payload. The attacker doesn’t even have to share the document; all they have to do is mention the target in the comment.
The researchers warned that if they are not stopped, these attacks will continue.
In June 2021, Avanan researchers discovered hackers using Google Docs for malicious purposes for the first time. The attackers’ aim was to steal the credentials. Threat actors were discovered exploiting the comment feature for the first time in October of that year, followed by major attacks in December.
Before clicking on the comment, users should validate the email addresses in the comments to ensure that they are valid. Furthermore, basic internet cyber is required. Last but not least, be cautious when clicking on web links that appear to be questionable.