Phishing with Google Docs Comments

In another example of how attackers are continuing to use trusted platforms to launch phishing attacks that evade standard email defences, Google Docs appears to have become the latest tool of the trade for phishers.

In a nod to the ingenuity of attackers to discover malicious uses for seemingly innocuous features, reports indicate that attackers are using an exploit that leverages the comment feature of Google productivity apps like Docs and Slides.

Put simply, by mentioning a target with an @, an email is automatically sent to that person’s inbox. The email comes from Google, with malicious links and text all included. Even more valuable from a social engineering perspective, the email address of the sender is omitted, with only the name of the attacker included.

What’s clever about this attack is that it comes to the target’s inbox from a trusted sender (Google), evading most defensive scanners and spam filters. The end-user also has no idea who the real sender is. If the attacker were to impersonate a colleague, there would be an even higher level of trust in the email. Lastly, the full payload can be included in the comment and delivered right into the target’s inbox, with no need to login anywhere or view the document.

The trend of using trusted platforms like file sharing and collaboration tools to deliver malicious payloads is likely to continue and grow, as it presents a valuable opportunity to evade traditional email defences. The rapid and significant transition to online working and collaboration over the past two years will only have exacerbated this problem, making it an even more enticing social engineering route for malicious actors.

Using the principle of defence-in-depth and having multiple defensive layers in place would go a long way towards countering such attacks, but a key critical layer will continue to be good user awareness training.