Hackers are sending malicious links through Google Doc comment emails

A new report from Avanan has found that cybercriminals are attempting to exploit Google Docs through its comment feature.
Written by Jonathan Greig, Contributor

Research from cybersecurity company Avanan has shown that hackers are increasingly using Google Docs' productivity features to slip malicious content past spam filters and security tools. 

Avanan's Jeremy Fuchs said that in December, the company saw cyberattackers using the comment feature in Google Docs and Google Slides to leverage attacks against Outlook users.

"In this attack, hackers are adding a comment to a Google Doc. The comment mentions the target with an @. By doing so, an email is automatically sent to that person's inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn't shown, just the attackers' name, making this ripe for impersonators," Fuchs wrote in a blog post

The technique has long been used by cybercriminals and Google even released fixes for the issue in 2020. But Avanan included images showing researchers testing the flaw with Google Docs and Google Slides using a malicious link that was added to a comment. 

"We primarily saw it target Outlook users, though not exclusively. It hit over 500 inboxes across 30 tenants, with hackers using over 100 different Gmail accounts," Fuchs added, noting that the email feature in Google Docs makes it difficult for scanners to stop the attack because the email comes directly from Google. 


Google is on most Allow Lists, Fuchs explained, and most users trust emails coming from Google. Anti-spam features are also helpless against the attack because the email doesn't use the hacker's email address, only their display name. No one would know whether the comment came from someone within their company or from somewhere else. 

"Further, the email contains the full comment, along with links and text. The victim never has to go to the document, as the payload is in the email itself. Finally, the attacker doesn't even have to share the document -- just mentioning the person in the comment is enough," Fuchs said. 

The company noted that last year, they reported another Google Docs exploit that also allowed hackers to easily deliver malicious phishing websites to end-users.

Avanan suggested users check multiple times before clicking on any links in a Google Doc comment sent to you. 

A number of cybersecurity experts reiterated that this kind of attack has been used for many years by cyberattackers because of how successful it is. 

Shawn Smith, director of infrastructure at nVisium, noted that the attack is not significantly different from many other methods of phishing. 

"Users should always be wary of links in emails -- even emails from legitimate senders -- due to the possibility of an account becoming compromised. It seems to me that this could be categorized less as an 'exploit' per se, and more so a case of a lack of spam prevention," Smith said. 

"In addition to checking links, users should also be hovering over links before clicking to confirm that the embedded hyperlink is sending them where they expect -- and not to a completely different site than the link indicates."

Editorial standards