Hackers are abusing Google Docs to bypass security protections

Comments are being weaponized to deliver malicious links

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

GoogleDocs make collaborating in real-time with colleagues a seamless experience but hackers have found ways to leverage these capabilities to send malicious links to unsuspecting users.

Back in June of last year, researchers at Check Point-ownedAvanandiscovered an exploit in the search giant’soffice softwarethat allowed an attacker to easily deliver links to phishing sites to end-users. Now though, hackers have discovered a new way to do the exact same thing.

It was reported in October that hackers could use comments inGoogle Workspaceapps like Docs and Slides to easily send malicious links to other users. Although this is a known vulnerability, Google has yet to fully close or mitigate it in the time since.

Beginning in December of 2021, Avanan’s researchers observed a new campaign in which a massive wave of hackers leveraged the comment feature inGoogle Docsto primarily target users ofMicrosoft’semail serviceOutlook.

Using comments to target Workspace users

According to a newblog postfrom Avanan, in this attack, hackers are adding comments with malicious links to Google Docs using @ mentions.

Unlike with typical malicious campaigns that rely on emails sent from an attacker to reach potential victims, in this case Google automatically sends an email to a targeted user. In these emails, the full comment along with the malicious link and text are sent though the email address of the sender isn’t shown, just the attacker’s name which makes it easy to impersonate someone at their organization.

Although the campaign primarily targetedMicrosoft Outlookusers, they weren’t the only people affected and Avanan observed over 500 inboxes across 30 tenants affected with the attackers responsible using over 100 differentGmailaccounts. The cybersecurity firm notified Google of this flaw at the beginning of this month using the report phish through email button within Gmail.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

To prevent falling victim to this attack and others like it, end users should remain as vigilant when checking and responding to comments in Google Docs, Sheets and Slides as they do when checking their inbox formalicious emails.

We’ve also featured thebest antivirus,best malware removal softwareandbest endpoint protection software

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Lego will let you build Sir Ernest Shackleton’s iconic lost ship, the Endurance, in its next Icons set