Researchers have identified a new phishing attack where the hackers exploit the Google Docs Comment feature to send phishing emails. This strategy proves even more evasive as it hides the attackers’ identity.
Google Docs Comment Phishing Attack
According to a post from the cybersecurity firm Avanan, a new phishing attack is active in the wild spreading malicious links.
What’s different in this attack is exploiting the Google Docs Comment feature to disseminate the links anonymously.
Specifically, the comment feature in Google Docs allows a particular option to send emails to a respective user. It requires adding an “@” before the user’s name while adding the comment in a Docs file. Then, Google sends an email to the user (that arrives right in the recipient’s inbox). This email includes the whole comment and comes from Google’s address. Hence, the user would open the email with trust as it arrives from Google.
That is what the hackers exploit. They insert malicious phishing links in the Google Docs comment section. Then, adding the “@” with the target recipient’s name makes Google send an email to the user with the malicious link. This increases the success probability for this attack as the recipient would likely open the email that arrives with Google’s address.
Sneaky nature of the attack
The trust factor attached with Google’s name, another thing increasing this phishing attack’s success rate is the stealth senders’ identity. The emails arriving this way merely include the sender’s display name without an email address.
Therefore, when such an email arrives in a mailbox, no spam filters would likely block it. Nor would the user ever be able to recognize and block the sender’s email address (as it would never appear).
Describing such a scenario, the researchers stated,
A hacker can create a free Gmail account, such as <[email protected]>. They can then create a Google Doc, insert a comment and send it to their intended target. For this example, let’s say the intended target has a work address of <[email protected]>. The end-user will have no idea whether the comment came from <[email protected]> or <[email protected]>. It will just say “Bad Actor” mentioned you in a comment in the following document. If Bad Actor is a colleague, it will appear trusted.
Besides, this phishing attack is easy to execute as it does not require the victim to open the document. Instead, the malicious comment would sufficiently appear in the email to trigger the attack. Moreover, it requires sending no attachments from the hackers.
Beware Of Google Apps Phishing Emails
According to the researchers, the phishing attack in question also exploits other Google Suite apps, like Google Slides. The attack strategy remains the same, hence, conferring similar damages.
Presently, the researchers have found this email targeting Microsoft Outlook users. Whereas the hackers have created roughly 100 Gmail accounts for this campaign.
Avanan has informed Google of this phishing attack. Besides, they also urge users to stay vigilant and employ email security best practices.