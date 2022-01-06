



Google Docs and the larger Google Workspace are ideal for productivity and collaboration. Employees around the world can work together in real time.

Its seamless nature has made it a target for hackers. In June, Avanan reported on an exploit for Google Docs that makes it easier for hackers to deliver malicious phishing websites to end users. Now hackers have found a new way to do the same.

Last October, it was reported that hackers could easily send malicious links via comments from Google apps such as Docs and Slides. Since then, this known vulnerability has not been completely closed or mitigated by Google.

Since December 2021, Avanan has observed a new wave of large-scale hackers using the comment feature of Google Docs, primarily for Outlook users. In this attack overview, Avanan analyzes how the commenting feature across the Google suite is a hacker’s attack vector.

attack

In this attack, hackers are using the productivity features of Google Docs to send malicious content.

Vector: Email, Google Docs Type: Malicious Links, Spoofing Techniques: Spoofing, Phishing Targets: Any End User

Email

In this attack, a hacker added a comment to Google Docs. The comment mentions the target with @. That way, the email will be automatically sent to that person’s inbox. The email coming from Google contains a complete comment with bad links and text. In addition, this is suitable for spoofing, as the email address is not displayed, only the attacker’s name is displayed.

Email example 1

In this email, Avanan researchers tested this flaw using an example of a comment containing a malicious link.

This email contains a malicious link. All the hacker has to do is mention it in the comments.

Email example 2

This example uses Google Slides.

This technique works for the entire Google suite.

Technique

In this email attack, hackers found a way to use Google Docs and other Google collaboration tools to send malicious links. It’s not exclusive, but it’s primarily targeted at Outlook users. With 30 tenants accessing over 500 inboxes, hackers used over 100 different Gmail accounts.

There are several ways to make this email difficult for the scanner to stop or for the end user to find.

One is that notifications are sent directly from Google. Google is on most allow lists and is trusted by users.

Second, the email does not include the attacker’s email address, only the display name. This makes it harder to determine anti-spam filters and makes it even more difficult for end users to recognize.

For example, a hacker can create a free Gmail account like this: .. You can then create a Google Doc, insert a comment and send it to the desired target.In this example, the target work address is ..End users don’t know if the comment came from also .. In the comments in the following document, you’ll only see that BadActor mentioned you. If the Bad Actor is a colleague, it looks trusted. In addition, the email contains a complete comment with a link and text. The victim does not need to access the document because the payload is in the email itself. Finally, the attacker doesn’t even have to share the document. It is enough to mention that person in the comments.

This attack was also overlooked by ATP.

Avanan notified Google of this flaw on January 3rd via a report fish from the email button in Gmail.

Best practices: guidance and recommendations

To prevent these attacks, security experts can do the following:

Before clicking a comment in Google Docs, encourage end users to cross-reference the email addresses in the comment to make sure they are legitimate. Remind end users to use standard cyber hygiene, such as link scrutiny and grammar inspection. If you are unsure, please contact the legitimate sender. Then make sure you intend to send the document.Introduce protection to protect your entire suite, including file-sharing and collaboration apps

