According to a recent Axios report, over 2 million monthly active users use G Suite products. In the 2017 Google I/O Conference, the organization mentioned that Google Drive alone has over 800 million daily users, and this figure is only increasing. If someone were to exploit a vulnerability in this famous collaborative work and educational platform, the consequences would affect millions. In a recent incident, cyber adversaries have targeted G Suite product users, exploiting a vulnerability in the ‘Comment’ option available in Google Docs, Google Sheets, and Google Slides. Here are the details about the breach and some recommendations on how to stop phishing emails.

What is the Issue?

Threat actors exploit an unpatched Google Doc vulnerability to send out legitimate-looking emails to users. They comment on a Google document tagging a user with an ‘@’ sign. Google sends a notification by email to the user wherein the comment is displayed, including its text and all embedded malicious links. Clicking on the links will take the user to a phishing site.

Since the email notification comes directly from Google, it is trusted and not blocked. Moreover, only the commenter’s name will be mentioned in the notification and not their full email address, making the user think it is a genuine contact. Thus, the chances of these spam emails getting detected or suspected are rare, making these attacks even more dangerous.

Since Google Docs is widely used for professional and educational purposes, the use of this application to con users has proved effective. People open an email instantly when the notification comes from Google Docs and has a comment with their name tagged on it. The attackers could use the name of people/organizations known to the victim to send out spam emails. The user is not even required to open Google Docs as they can view the entire comment (with all its embedded links) in the notification email. Merely clicking on these embedded links lead users to phishing sites that extract their confidential information.


How Was it Discovered?

Cybersecurity researcher at Avanan, Jeremy Fuchs, recently reported the vulnerability in the Comment feature of Google Docs, allowing an attacker to email a user by tagging them in a comment on any random Google Doc document. As mentioned earlier, since Google Doc notifications are on the Allow List of Gmail, spam filters cannot detect these emails, and the attackers can successfully land the victim’s inbox. Avanan reports that attackers exploit this vulnerability in Google Docs and other G Suite products like Google Sheets and Google Slides to target Outlook users and steal their personally identifiable information (PII).


How Long Has The Vulnerability Existed?

The following is the summary of information since the start of the threat and its subsequent progress.

  • In October 2021, cybersecurity experts reported adversaries were sending malicious URLs to unsuspecting G Suite users through the commenting feature in Google apps like Google Docs and Google Slides.
  • While Google claimed to have released some email phishing prevention measures to rectify the issue, the vulnerability is still being extensively exploited.
  • With Outlook users as the prime targets, the attackers have created over 100 fake email IDs to send these counterfeit comments with malicious links to over 500 inboxes.


How Are Attackers Exploiting The Vulnerability So Easily?

Adversaries can evade detection in this threat even if users implement the necessary anti-phishing solutions. There are multiple reasons which make exploiting the Google Docs vulnerability so easy, as listed below:

  • The Google Docs notification doesn’t display the sender’s email address; it only mentions the username. It makes it very convenient for attackers to impersonate a genuine entity or individual, perhaps someone known to the victim. The user can’t check whether the email came from their colleague/friend/acquaintance (E.g., a particular user with the address or or an impersonating online threat actor.
  • Since the email notification is the result of a genuine comment on an actual Google Doc, it is almost impossible for spam filters to detect the malicious nature of the email.
  • Detection from the user’s end becomes challenging as they cannot check the email or the comment’s authenticity without opening it. And opening the email would lead them either to the Google document or the malicious link. Users usually open the embedded URL, which serves the attackers’ purpose (which could be to download malware on their device).
  • Another factor that makes detection difficult is that the email contains all necessary information, such as the whole comment, the texts, the links, etc. It implies that the payload is in the email itself, and users don’t necessarily need access to Google Docs.
  • Finally, there is no way to identify these malicious emails because all G Suite products-related emails are on the most ‘Allow Lists’ by default. Until Google devises some way to scan the authenticity of these notifications, even the best phishing protection measures can’t track the attack vector.


What Must Users Do To Mitigate The Threat?

Since Google is yet to confirm this breach and release new patches for the vulnerability, anti-phishing solutions need to be adopted at an individual level to stay safe from these Google Docs-themed phishing emails. Some recommendations for users to stay safe are:

Use links only from the Google Docs page

The best step for users to take now is not to click on any links that come in the notification. A user may read the comment in the notification. Still, they must visit the original Google Docs page and verify the commenter’s whereabouts before clicking on any link shared by them.

Verify sender authenticity

Before taking the comment seriously, cross-check and verify if the email address indeed belongs to the person/organization it claims to represent.

Look for composition errors

Users should also follow the common tips suggested for detecting phishing messages, such as checking the email for typos and grammatical errors, scrutinizing the attached links, etc.

Verify directly with genuine sender

In case of any uncertainty, it is advised to contact the supposed sender and verify whether they sent the email.

Robust Anti-ransomware protection

Organizational G Suite users might consider investing in powerful anti-ransomware protection software that secures the entire suite and ensures that file sharing is limited only to the added users.

Phishing URL detection

In addition, people who communicate through emails frequently can invest in a good phishing URL detection plan that does more than spam email detection and ensures that harmful links are blocked before reaching the user’s inbox.


Final Words

Google Docs, Slides, and Sheets are widely used for corporate and institutional purposes. Hence, spear-phishing emails like these can affect millions of people’s privacy. Google needs to reconsider its email notification feature for collaborative platforms like these, which risks individuals and those related to them. In addition to enabling the security features provided by Google, one can consider employing supplementary anti-phishing and threat detection tools to ensure a comprehensive security posture.