Google Docs, as well as the larger Google Workspace, is ideal for productivity and collaboration. Employees across the globe can work, in real-time, together.
That seamless nature is being targeted by hackers. In June, Avanan reported on an exploit in Google Docs that allowed hackers to easily deliver malicious phishing websites to end-users. Now, hackers have found a new way to do the same thing.
Last October, it was reported that hackers could easily send malicious links through comments in Google apps like Docs and Slides. This known vulnerability has not been fully closed or mitigated by Google since then.
Starting in December 2021, Avanan observed a new, massive wave of hackers leveraging the comment feature in Google Docs, targeting primarily Outlook users. In this attack brief, Avanan will analyze how the comment feature across the Google suite has become an attack vector for hackers.
Attack
In this attack, hackers are utilizing productivity features in Google Docs to send malicious content.
- Vector: Email, Google Docs
- Type: Malicious Link, Impersonation
- Techniques: Impersonation, Phishing
- Target: Any end-user
In this attack, hackers are adding a comment to a Google Doc. The comment mentions the target with an @. By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators.
Email Example #1
In this email, Avanan researchers tested this flaw with an example comment that includes a malicious link.
This email has a malicious link. All the hacker has to do is mention it in the comment.
Email Example #2
This example uses Google Slides:
This technique works across the Google suite.
Techniques
In this email attack, hackers found a way to leverage Google Docs, and other Google collaboration tools, to send malicious links. We primarily saw it target Outlook users, though not exclusively. It hit over 500 inboxes across 30 tenants, with hackers using over 100 different Gmail accounts.
There are several ways that make this email difficult for scanners to stop and for end-users to spot.
For one, the notification comes directly from Google. Google is on most Allow Lists and is trusted by users.
Secondly, the email doesn’t contain the attacker’s email address, just the display name. This makes it harder for anti-spam filters to judge, and even harder for the end-user to recognize.
For example, a hacker can create a free Gmail account, such as <bad.actor@gmail.com>. They can then create a Google Doc, insert a comment and send it to their intended target. For this example, let’s say the intended target has a work address of <vic.tim@company.com>. The end-user will have no idea whether the comment came from <bad.actor@gmail.com> or <bad.actor@company.com>. It will just say “Bad Actor” mentioned you in a comment in the following document. If Bad Actor is a colleague, it will appear trusted. Further, the email contains the full comment, along with links and text. The victim never has to go to the document, as the payload is in the email itself. Finally, the attacker doesn’t even have to share the document--just mentioning the person in the comment is enough.
This attack was missed by ATP, as well.
Avanan notified Google of this flaw on January 3rd, via the report phish through email button within Gmail.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Before clicking on Google Docs comments, encourage end-users to cross-reference the email address in the comment to ensure it’s legitimate
- Remind end-users to utilize standard cyber hygiene, including scrutinizing links and inspecting grammar
- If unsure, reach out to the legitimate sender and confirm they meant to send that document
- Deploy malware protection that secures the entire suite, including file-sharing and collaboration apps