Phishing campaigns are evolving and always finding a way to abuse different systems. This time, Google Docs is the target system alongside Google Slides. In recent months, security firm Avanan has researched the current Google Docs phishing campaign. However, despite Google’s efforts for mitigations, the threat actors seem still to be able to abuse the flaw.
Automatically delivered via Google Docs notifications
When a user comments and mentions another user by using “@”, Google sends an automated e-mail to the mentioned user. These notification e-mails also include the mentioned message and do not show the commenters’ e-mail addresses; it only shows as a name. That makes it harder to notice if the person that mentions the user is a threat actor or not.
Those comments and notification e-mails seem to have no filtering mechanism, so the threat actors simply mention a user with a malicious link. The link is delivered via e-mail, as an embedded comment below. And those notification e-mails are directly being sent from Google Docs, which seems trustworthy enough. Clicking the links will open the door to various security risks that the threat actor aims for.
How to protect yourself from Google Docs and Slides phishing attacks?
To protect yourself from Google Docs and Google Slides phishing campaigns, do not click the links in the embedded comments from Google Docs notification e-mails. The administrators of Google Workspace can also apply stricter security options for the file-sharing feature.