Posted on January 7, 2022 at 6:09 PM
Avanan, a cybersecurity research company, has released a report showing that threat actors are now exploiting Google Docs. The report showed that threat actors used productivity features on Google Docs to launch their attacks.
Some of the malicious intentions by these hackers include bypassing spam filters and security features to distribute malicious content.
Hackers exploiting Google’s comment feature
A report by Jeremy Fuchs, one of the researchers with Avanan, noted that the first instance of hackers using the comment feature was detected in December. The attackers were exploiting this feature on both Google Docs and Google Slides.
The blog post published by Fuchs noted that the hackers were launching this attack by adding a comment to a Google document. The report further noted that the comment sent by the attackers mentioned the target victim using an @.
“By doing so, an email is automatically set to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attacker’s name, making this ripe for impersonators,” the blog post by Fuchs read.
This is not the first time attackers have used Google Docs to launch attacks. Cybercriminals have used the technique for a long time, and Google has even issued security patches to fix the vulnerability in 2020. However, it now seems like these patches are doing very little to curb the attacks.
The report from Avanan shows several images of the researchers as they tested the vulnerability on Google Docs and Google Slides. The researchers were using a malicious link added to one of the comments.
After testing, Fuchs noted that “we primarily saw it target Outlook users, though not exclusively. It hit over 500 inboxes across 30 tenants, with hackers using over 100 different Gmail accounts.”
The research by Fuchs also added that the email feature available on Google Docs made it hard for the scanners to stop the malicious attack. Security features failed to detect and stop the attack because it showed that the email was sent directly by Google.
Google is one of the trusted senders on emails. Emails sent from Google are usually not spammed and are on the Allow Lists of many users. Additionally, many users have also shown trust in emails sent by Google.
Features that filter spam messages have also failed to detect the malicious content attached in this comment feature. The attackers do not use their own email addresses, but they only feature a display name. Therefore, a user can’t identify whether a comment has been sent by someone working within the company or from an external source.
Fuchs also noted that the attackers have created trust with users by personalizing the email and ensuring it will get to the intended target.
“Further, the email contains the full comment, along with links and text. The victim never has to go to the document, as the payload is in the email itself. Finally, the attacker doesn’t even have to share the document – just mentioning the person in the comment is enough,” Fuchs noted.
Hackers have been using Google Docs exploits for a long time
The researchers from Avanan further states that in 2021, another attack was also done through Google Docs. The researchers stated that the vulnerability allowed the hackers to deliver malicious phishing websites to end-users.
The researchers also gave users several tips that they can use to protect themselves from being victims of such attacks. One of these tips is to check the comments sent to them through Google Docs thoroughly. Checking will ensure that a user does not comment on any malicious links attached.
Other cybersecurity researchers have also stated that the attack has been used severally in the past because of its high level of success. Shawn Smith, the director of infrastructure at nVisium, stated that the attack is not different from the other methods of phishing used by attackers.
In the report, Smith said, “users should always be wary of links in emails – even emails from legitimate senders – due to the possibility of an account becoming compromised. It seems to me that this could be categorized less as an ‘exploit’ per se, and more so a case of a lack of spam prevention.”
The other tip that users should note is that they should hover over the links sent through their comments before clicking on them. This will ensure that the attacked hyperlink will direct them to the pages they want to visit and not to an entirely different site.
Hackers using Google Docs comment feature to launch attacks
Hackers are using a comment feature on Google Docs to launch attacks. Hackers are using this feature to send malicious links. This is not the first time this has happened, as Google had issued a patch to this vulnerability in 2020.