Research by cybersecurity firm Avanan has shown that hackers are increasingly using Google Docs functionality to pass malicious content through spam filters and security tools.
In a blog post, Jeremy Fuchs of Avanan says that attackers used the Comments feature in Google Docs and Google Slides to carry out attacks against Outlook users in December.
"In this attack, the hackers add a comment to a Google Doc. The comment mentions the target with an @. In doing so, an email is automatically sent to that person's inbox. The full comment, including malicious links and text, is included in this email from Google. In addition, the email address is not displayed; only the name of the attacker is indicated, which makes the situation conducive to identity theft," he describes.
Cybercriminals have used this technique for a long time, and Google even released fixes for this issue in October. But Avanan includes footage from researchers who continue to exploit the vulnerability on Google Docs and Google Slides by using a malicious comment link.
"We saw that she mainly visited Outlook users, but not exclusively. It reached more than 500 inboxes in 30 companies, the hackers using more than 100 different Gmail accounts", adds the researcher, noting that the passage by Google Docs makes it difficult to stop the attack by the filtering systems because the email comes directly from Google.
Google is on most allow lists, says Jeremy Fuchs, and most people trust emails from Google. Anti-spam functions are also powerless against this attack, as the email does not use the hacker's email address, only their display name. No one can tell if the comment is from someone inside their company or from outside.
"Plus, the email contains the full comment, links, and text. The victim never needs to view the document, as the payload is in the email itself. Finally, the attacker doesn't even have to share the document: just mention the person in the comment," he adds.
"This attack was not detected by ATP either. Avanan informed Google of the flaw on January 3 via the "Report Phish through email" button in Gmail. "
The company notes that it reported another Google Docs exploit last year that allowed hackers to distribute malicious phishing websites to end-users efficiently.
Avanan suggests that users double-check before clicking on any links in a Google Doc comment sent to them.
Several cybersecurity experts point out that cyber attackers have used this type of attack for many years because of its success.
Shawn Smith, director of the infrastructure at nVisium, notes that the attack differs from other phishing methods. "Users should always be wary of links in emails, even those from legitimate senders, as they risk compromising their account. It seems that this is less of an "exploit" in itself than a lack of spam prevention, "he said. "In addition to checking the links, users should also hover over them before clicking to confirm that the hyperlink sends them where they expect it to – and not to a completely different site than the one the link indicates. "
More cybersecurity content: