Zero trust, Cloud Security, Phishing, Malware

Google Docs ‘comments’ used to launch phishing attacks, send malicious content

The Google corporate logo and Google Cloud logo stand outside the Google Germany offices on Aug. 31, 2021, in Berlin. (Photo by Sean Gallup/Getty Images)

Researchers on Thursday reported they discovered a wave of hackers leveraging the “comments” feature in Google Docs to launch phishing attacks and send malicious content.

In a blog post, Avanan researchers said the attackers primarily targeted Outlook users. They say the attacks hit more than 500 inboxes across 30 tenants, with the hackers using more than 100 different Gmail accounts.

According to the researchers, the hackers add a comment to a Google Doc. The comment then mentions the target with an @. In doing so, an email with the bad links and text gets automatically sent to the victim’s inbox via Google. The attackers don’t show the email address, just a name, typically one that’s impersonated.

Attackers abusing the Google Docs comment section for the sake of spreading malware and malicious links presents another legitimate reason for security teams to extend their zero trust architectures beyond the identity and network levels, said Adam Gavish, co-founder and CEO of DoControl.

“Applying the zero trust model on the data layer can help achieve a least privilege model and significantly reduce the scope for attackers to exploit loopholes such as the one with the Google Docs comments section,” Gavish said.

Tim Wade, technical director of the CTO Team at Vectra, added that weaponizing documents for phishing has become a “tried and true approach” to establishing a foothold into an enterprise, and reinforces one of the fundamental truisms of the field: Attackers can hack the systems, or hack the humans. 

“As it relates to hacking humans, this is always something of an arms race – adversaries are always pursuing novel ways of tricking humans via some trusted vehicle of delivery, while network defenders manage the fallout,” Wade said. “At the end of the day, compromised users and systems will occur given time, motivation, and resources on behalf of an adversary. Detecting and responding to that inevitability before material damage can be done is the hallmark of an effective security program.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.