Hackers use Google Doc comment emails to trick security tools

Get a free Techzine subscription!

Avanan, a cybersecurity company, has shown a rise in the use of Google Docs’ productivity features to sneak malicious content past spam filters and security tools. Jeremey Fuchs, from Avanan, said the company saw cyberattackers use the comment feature in Google Docs over December to attack Outlook users.

Writing in a blog post, Fuchs explained that the hackers add a comment to a Google Doc and mention the target with an @. The email is automatically sent to the target. Since it comes from Google, the full comment, including the malicious link and text is included.

Ripe for crime

When this attack happens, the email address is not shown, which attracts impersonators who like that only their names can be seen. The technique has been used by criminals and Google had to release fixes for it in 2020. Avanan shows in screenshots its researchers testing the bug with Google Docs and Google Slides using a malicious link added to a comment.

The company says that the attacks have primarily targeted outlook users but have hit over 500 inboxes across 30 tenants, with hackers using over 100 different email accounts.

A problem of trust

Since emails come directly from Google, the scanners have a difficult time stopping the malicious text and links. Most users trust emails coming from Google. Anti-spam features are useless here because the email does not use the hacker’s address, only the display name.

The email contains the full comment, including links and text. The victim never has to go to the document for the payload since it is in the email.

The attacker does not even have to share the document, mentioning the person will do it. Avanan reported another Docs other Docsexploit in 2020. Users are highly encouraged to check links before clicking on them, to avoid getting phished.