Hackers are abusing Google Docs to bypass security protections

Google Docs logo
(Image credit: Google)
Audio player loading…

Google Docs make collaborating in real-time with colleagues a seamless experience but hackers have found ways to leverage these capabilities to send malicious links to unsuspecting users.

Back in June of last year, researchers at Check Point-owned Avanan (opens in new tab) discovered an exploit in the search giant's office software (opens in new tab) that allowed an attacker to easily deliver links to phishing sites to end-users. Now though, hackers have discovered a new way to do the exact same thing.

It was reported in October that hackers could use comments in Google Workspace (opens in new tab) apps like Docs and Slides to easily send malicious links to other users. Although this is a known vulnerability, Google has yet to fully close or mitigate it in the time since.

Beginning in December of 2021, Avanan's researchers observed a new campaign in which a massive wave of hackers leveraged the comment feature in Google Docs (opens in new tab) to primarily target users of Microsoft's email service (opens in new tab) Outlook.

Using comments to target Workspace users

According to a new blog post (opens in new tab) from Avanan, in this attack, hackers are adding comments with malicious links to Google Docs using @ mentions. 

Unlike with typical malicious campaigns that rely on emails sent from an attacker to reach potential victims, in this case Google automatically sends an email to a targeted user. In these emails, the full comment along with the malicious link and text are sent though the email address of the sender isn't shown, just the attacker's name which makes it easy to impersonate someone at their organization.

Although the campaign primarily targeted Microsoft Outlook (opens in new tab) users, they weren't the only people affected and Avanan observed over 500 inboxes across 30 tenants affected with the attackers responsible using over 100 different Gmail (opens in new tab) accounts. The cybersecurity firm notified Google of this flaw at the beginning of this month using the report phish through email button within Gmail.

To prevent falling victim to this attack and others like it, end users should remain as vigilant when checking and responding to comments in Google Docs, Sheets and Slides as they do when checking their inbox for malicious emails (opens in new tab).

We've also featured the best antivirus (opens in new tab), best malware removal software (opens in new tab) and best endpoint protection software (opens in new tab)

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.