The operators behind a recent phishing campaign are exploiting the commenting feature in Google Docs to send seemingly legitimate emails that convince targets to click malicious links.

This isn't the first time threat actors have found ways to exploit user trust in Google's popular productivity suite, report the Avanan researchers who discovered this campaign. Earlier this year, they observed attackers sending links to Google Docs files that contained a malicious download. Victims who downloaded the file were tricked into entering their login credentials.

The latest threat uses a different method that was documented in 2020 attacks. Starting in December, Avanan saw attackers using the Google Docs commenting feature in a phishing campaign that primarily, though not exclusively, targets Outlook users. The attack hit at least 500 inboxes across 30 tenants, with operators using more than 100 unique Gmail accounts.

To carry out this attack, the threat actor creates a Google Docs document and adds a comment containing a malicious link. They add the victim to the comment using "@". This action automatically sends the target an email with a link to the Google Docs file. The email displays the full comment, including the bad links and other text added by the attacker.

It's an appealing technique for phishers because this email notification comes directly from Google, which is generally trusted among users and on most Allow lists, so it's likely to land in victims' inboxes. Further, the email doesn't contain the attacker's email address — only their display name. This makes it tougher for victims and anti-spam filters to recognize an attack.

An attacker can easily create a free Gmail account and set up a Google Doc, insert a comment, and send it to their intended target. Because the recipient won't see the sender's email address, the attacker could use the name of a colleague or friend as the display name and increase the likelihood the target will click. An attacker can use this technique to deliver malware, steal credentials, or take other actions, depending on their motivations.

No Need for G Doc Access
It's worth noting that the victim doesn't have to access a document for the attack to work as the notification email contains the malicious link, Avanan researchers report in a blog post. The attacker also doesn't have to share the file with them; simply mentioning the target in a comment is sufficient.

The December campaign used Google Docs commenting in its phishing attacks; however, the team says this technique works in Google Slides as well. Avanan notified Google of their findings on Jan. 3.

To protect against this technique, security pros are encouraged to advise employees to confirm the sender's email matches that of the person they're claiming to be. If they're unsure, they should reach out to the sender and ensure they meant to send the comment.