Researchers say it’s tough for both email scanners and victims to detect a wave of phishing assaults that began in December and targeted mostly Outlook users.
Researchers observed that attackers are utilising the “Comments” function of Google Docs to distribute malicious URLs in a phishing effort aimed largely at Outlook users.
Avanan Cybersecurity Researcher/Analyst Jeremy Fuchs stated in a study published Thursday that researchers from email collaboration and security business Avanan, a CheckPoint company, first noticed “a new, enormous wave of hackers leveraging the comment feature in Google Docs” in December.
In October, Avanan discovered that the Comments function of Google Docs, Sheets, and Slides could be used to send spam emails, but Google has yet to reply, according to Fuchs.
“Google has not properly closed or mitigated this known issue since then,” he stated in the study.
According to the study, attackers have exploited a feature of Google’s cloud-based word processing tool to assault more than 500 inboxes across 30 tenants from more than 100 different Gmail accounts.
Attackers target Google Docs users by posting a remark to a document that includes a “@” symbol, which immediately sends an email to the user’s inbox. According to Fuchs, the email, which comes from Google, has both text and dangerous links.
The study includes an example of how to use the same way to exploit Google Slides, the suite’s presentation software.
Getting Away With It
According to Fuchs, there are a lot of reasons why it’s difficult for victims to notice that the email they received after being tagged in Comments is malicious. For one thing, the sender’s email address isn’t displayed — only the attacker’s identity – allowing bad actors to impersonate genuine companies to target victims, according to Fuchs.
He also said that it “makes it harder for anti-spam filters to judge, and even harder for end-users to notice.”
“A hacker, for example, may create a free Gmail account with the address [email protected],” Fuchs added. “They can then build a Google Doc and send it to the person they want to communicate with.”
He explained that the malicious aim of the Comments mention is difficult to detect because the end user will have no knowledge if the comment came from [email protected]> or [email protected]>.
The email also includes the entire comment, as well as links and content, eliminating the need for the victim to open the document because the payload is contained within the email itself.
“Finally, the attacker does not even need to distribute the paper; simply mentioning the individual in the remark suffices,” Fuchs said.
Because the message comes directly from Google, which “is on most ‘Allow Lists’ and is trusted by users,” Fuchs stated, standard defences will not alert the emails. Indeed, he claimed that Advanced Threat Protection’s scan missed the attack vector.
As an Attack Surface, Google Docs
The campaign appears to signal an increase in attacks aimed at exploiting the Comments feature of Google’s collaboration apps for nefarious purposes – attacks that, according to researchers, will certainly continue if left unchecked.
Avanan researchers discovered threat actors hosting phishing attacks from within Google Docs, delivering malicious links aimed at stealing users’ credentials for the first time in June. They characterised it as a novel app exploit at the time.
Researchers discovered threat actors exploiting the Comments feature for the first time in October, followed by a rush of attempts in December, which were reported to Google on Jan. 3 “using the resulting phishing through email through Google’s built-in capabilities,” according to Fuchs.
Before clicking on a Google Docs comment, Avanan advises users to check the email address in the comment to make sure it’s real. According to the paper, they also encourage conventional “internet hygiene” while examining comments, such as scrutinising links and checking grammar.
If you’re not sure, contact the legitimate sender and ask if they meant to send it,” Fuchs suggested.
He noted that security professionals may protect themselves from the threats by adopting security protection that covers the complete suite, including file-sharing and collaboration apps.
If you’re not sure, contact the legitimate sender and ask if they meant to send it,” Fuchs suggested.
He noted that security professionals may protect themselves from the threats by adopting security protection that covers the complete suite, including file-sharing and collaboration apps.
