Researchers from security firm Avanan in December uncovered a phishing campaign targeting mainly Outlook users with a new technique that abuses the commenting feature of Google Docs to send out malicious messages.
The attack chain is very simple, attackers create a Google Document using their Google account. Threat actors added a comment to a Google Doc that refers to the target with an ‘@’ to automatically send a message that comes from Google. The content of the comment includes the malicious links while the email address and the attackers’ name aren’t shown.
Google sends a notification email to the target’s inbox to notify it of the new comment on the document that mentioned them.
“In this attack, hackers are adding a comment to a Google Doc. The comment mentions the target with an @. By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators.” reads the analysis published by Avanan.
The emails are sent out from Google infrastructure, for this reason, security solutions do not label them as malicious.
The technique also with Google Slide and other components of the Google Workspace service.
In the phishing campaign tracked by the experts, threat actors leveraged Google Docs and other Google collaboration tools, to target over Outlook users across 30 tenants. The attackers used over 100 different Gmail accounts.
To avoid being victims of this phishing technique experts recommend:
(SecurityAffairs – hacking, Phishing)