Attackers Exploit Flaw in Google Docs’ Comments Feature

Attackers are employing the “Comments” element of Google Docs to deliver destructive links in a phishing marketing campaign qualified mostly at Outlook customers, scientists have found out.

Scientists from email collaboration and security company Avanan, a CheckPoint corporation, first noticed “a new, large wave of hackers leveraging the remark function in Google Docs” in December, Avanan Cybersecurity Researcher/Analyst Jeremy Fuchs wrote in a report revealed Thursday.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

Avanan very first determined that the Responses function of Google Docs, Sheets and Slides could be exploited to send out spam e-mail in Oct, but so much Google has not responded to the issue, Fuchs wrote.

“This identified vulnerability has not been completely closed or mitigated by Google considering that then,” he wrote in the report.

So considerably, attackers have hit a lot more than 500 inboxes across 30 tenants from far more than 100 unique Gmail accounts by exploiting the element of Google’s cloud-based mostly word processing application, according to the report.

Attackers target end users of Google Docs by adding a remark to a doc that mentions the specific person with an “@,” which mechanically sends an email to that person’s inbox. That email, which arrives from Google, contains textual content as effectively as the destructive inbound links, Fuchs explained.

An illustration applying the similar approach to exploit Google Slides, the suite’s presentation application, is integrated in the report.

Evading Detections

There are a amount of reasons it’s tough for victims to acknowledge that the email despatched to them following remaining tagged in Feedback is malicious, Fuchs noted. For one, the email address of the sender is not revealed – just the title of the attacker – which makes it possible for terrible actors to impersonate legit entities to focus on victims, Fuchs observed.

It also “makes it harder for anti-spam filters to decide, and even more difficult for the conclusion-user to understand,” he wrote.

“For instance, a hacker can create a free of charge Gmail account, these as ,” Fuchs stated. “They can then generate a Google Doc and deliver it to their intended target.”

The destructive intent of the Opinions mention is challenging to detect mainly because the conclude person will have no concept whether the comment came from or , he pointed out.

“It will just say ‘Bad Actor’ described you in a remark in the following doc,” Fuchs wrote. “If Lousy Actor is a colleague, it will look trusted.”

The email also consists of the comprehensive comment, along with inbound links and text, which signifies the target never has to go to the document, as the payload is in the email by itself.

“Finally, the attacker does not even have to share the doc – just mentioning the particular person in the comment is plenty of,” Fuchs wrote.

Normal protections won’t flag the email messages since the notification arrives specifically from Google, which “is on most ‘Allow Lists’ and is trusted by users,” Fuchs wrote. Certainly, he explained Highly developed Danger Defense skipped the attack vector in its scan.

Google Docs as Attack Surface

The campaign appears to signify a ramp up in attacks to exploit the Responses attribute of Google’s collaboration apps for destructive intent – attacks that likely will keep on if remaining unchecked, scientists said.

June was the initially time Avanan researchers determined menace actors hosting phishing attacks from in just Google Docs, providing malicious back links aimed at stealing victims’ qualifications. At the time, they recognized it as a novel exploit of the application.

Then, in October, as earlier stated, researchers determined threat actors exploiting the Feedback characteristic for the initial time, followed by December’s flurry of attacks, which had been reported to Google on Jan. 3 “using the resulting phishing by way of email by means of Google’s developed-in tools,” Fuchs wrote.

Avanan suggests that users cross-reference the email deal with in the remark to make certain it’s genuine right before clicking on a Google Docs comment. They also suggest standard “cyber hygiene” when examining comments, which includes scrutinizing hyperlinks and inspecting grammar, in accordance to the report.

“If doubtful, reach out to the reputable sender and validate they intended to send out that,” Fuchs suggested.

Security specialists can guard against the attacks by deploying security security that secures the entire suite, which includes file-sharing and collaboration apps, he additional.

Password Reset: On-Desire Celebration: Fortify 2022 with a password security tactic crafted for today’s threats. This Threatpost Security Roundtable, created for infosec experts, facilities on enterprise credential management, the new password essentials and mitigating write-up-credential breaches. Be part of Darren James, with Specops Program and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Sign-up & Stream this Free session nowadays – sponsored by Specops Computer software.