Home & Office

Google: To stop phishing and malware we're changing our comment notifications

Google has updated the information it delivers with comment notifications to stop phishing attacks.
Written by Liam Tung, Contributing Writer on

Google has made a small but important change to how it presents comment notifications in Docs messages to help users spot phishing email attempts. 

Over the past year, Google Workspace app Docs has gained new collaboration features like @mentions that aim to modernize productivity software. But as ZDNet's Jonathan Greig noted in January, hackers were exploiting the feature by adding @mentions in Docs that trigger an email to the target's inbox. 

In that attack, the commenter mentions the target with an @ and then an email is automatically sent to the target's inbox. The email arrives from Google with the full comment as well as potentially malicious links and text. 

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

But as security firm Avanan noted at the time, the main problem was that the message triggered by the @mention didn't display the email address of the commenter – only their name. The absence of the commenter's email address made it easier for the attacker to phish a target for credentials by pretending to be someone the recipient knows and trusts.

Google has responded to this phishing attack by now including the email address of the person who @mentioned another person to generate the email from Google.   

"When someone mentions you in a comment in a Google Workspace document, we send you an email notification with the comment and the commenter's name. With this update, we are adding the commenter's email address to the email notification," it notes on its Workspace updates blog.  

Google says it hopes that users "feel more confident that you're receiving a legitimate notification rather than a spam or phishing attempt by a bad actor."

It's a small change on Google's side that should help not just Gmail users but also Microsoft's Outlook users. Avanan found that most of the automatically generated comment emails were targeted at Outlook users. The fact that the email comes from Google also helped bad actors evade email filtering systems since Google is generally trusted. 

Google says the update is available for all Workspace customers, legacy G Suit Basic and Business customers, as well as users with a personal Google account. 

Google also updated Workspace to counter information leaks. Workspace admins can now see events in Drive audit logs that happened in their own organization as well as external organizations. 

The Drive audit log includes content that users create in Google Docs, Sheets, and Slides. 

Google has updated its support page for the feature: "Some events involve domains outside your own; for example, when a user copies a file to another domain. Some of these events are reported in the Drive audit logs of both your domain and the external domain. Names of external documents are not included in audit log entries."

Now, actions including moving, copying, and changing access on Drive items that can involve external domains are reported in the Drive audit logs of both domains, it said.

Editorial standards