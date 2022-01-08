



Security researchers say that malicious hackers have seen a “massive wave” of exploiting Google Docs’ commenting capabilities to spread malicious content to the inbox of unsuspecting target users.

According to a blog post published by Avanan, Google Docs’ commenting feature and its companion Google Workplace web-based applications, Google Sheets and Google Slides, are being abused to send malicious links.

This flaw can be exploited by cybercriminals to send messages to almost any email address, but in reality the email is sent by Google and can appear to be reliable.

All the scammers need to do is create a Google Docs, Spreadsheet, or Presentation and add a comment to tag the desired target email address. Google considers this an invitation to notify users to be “useful”, to notify them that they are tagged, and to send the content of the document (including malicious links). ..

Spreading malicious spam and phishing messages using this technique not only makes it harder for individuals to determine if an email is dangerous, but also adds to the email filtering solution that treats Google as a trusted sender. Challenges may arise.

Avanan researcher Jeremy Fuchs writes that the latest attacks he saw targeted Outlook users, but they are not limited to this.

“30 tenants access over 500 inboxes and hackers use over 100 different Gmail accounts.”

The problem is exacerbated by emails that do not include the attacker’s email address, but only the display name.

This means that a malicious attacker could, for example, create a free Google account for “[email protected]” and use it to pretend to be “[email protected]”. .. If the intended target is also working at “company.com”, it can easily be mistaken for a genuine notification of a comment left by one of your colleagues in Google Docs.

This technique can be used to spread links that point to malware and phishing links that can attempt to steal login credentials from inadvertent users.

Fuchs hasn’t addressed this issue, despite the threat of how Google Docs comments could be abused to spread spam published on TechPress last October. Claims.

Worried users can protect themselves by being careful to click on suspicious links. If you’re still not sure, contact the legitimate sender to see if it’s really tagged in Google Docs or other collaboration apps.

Editor’s Note: The opinions expressed in this guest author’s article are only those of the contributors and do not necessarily reflect the opinions of Tripwire, Inc.

