Google Docs: Cybercrooks Use Phishing Attacks To Spread Malware

by | January 10, 2022 | Cybersecurity News

Scammers are abusing the Google Docs comment feature to inject malware via phishing attacks.

Phishing Attacks Exploiting The Comment Feature in Google Docs

Security firm Avanan spotted in December a surge of phishing attacks abusing the comment feature, targeting primarily Outlook users. Hackers send ill-intended content by utilizing productivity features.

“In this attack, hackers are adding a comment to a Google Doc. The comment mentions the target with an @. By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators,” Avanan’s report said. 

Check the phishing email examples below:

The Google Docs phishing scam leverages the comment feature.
Credit: Avanan

In a statement to 9to5google, Google wrote that they are “rolling out additional measures” to prevent this type of scam from being posted in comments on Docs, Slides, and other Google Workspace files. These new security controls are just part of Google’s active efforts to detect and shut down new phishing operations.

Hacking Humans Instead Of Systems

“Weaponizing documents for phishing is a tried and true approach to establishing a foothold into an enterprise, and reinforces one of the fundamental truisms of the field: You can hack the systems or you can hack the humans.  As it relates to hacking humans, this is always something of an arms race — adversaries are always pursuing novel ways of tricking humans via some trusted vehicle of delivery, while network defenders manage the fallout,” Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based AI cybersecurity company.

“At the end of the day, compromised users and systems will occur given time, motivation, and resources on behalf of an adversary — detecting and responding to that inevitability before material damage can be done is the hallmark of an effective security program.”

Avanan also provided a few recommendations to help you protect your business against these phishing attacks:

  • Before clicking on Google Docs comments, encourage end-users to cross-reference the email address in the comment to ensure it’s legitimate
  • Remind end-users to utilize standard cyber hygiene, including scrutinizing links and inspecting grammar
  • If unsure, reach out to the legitimate sender and confirm they meant to send that document
  • Deploy protection that secures the entire suite, including file-sharing and collaboration apps

Educate Your Employees With ATTACK Simulator’s Phishing Simulations

Thinking you’ll dodge the bullet (or hook)? Think again. Figures paint a rather grim cybercrime landscape.

Phishing attacks can be catastrophic, resulting in immense financial damage or even the end of your business.

You need security awareness training for your employees for many reasons:

  • To prevent cyberattacks and breaches
  • To strenghten your technological defenses
  • To attract more customers
  • To make you more socially responsible
  • To empower your employees
  • To meet compliance standards
  • To prevent downtimes and maintain a good reputation

Our realistic phishing simulations will expose your employees to life-like hands-on fake phishing attacks.

Here are some awesome perks of choosing us:

  • Automated attack simulation – we simulate all kinds of cyberattacks: phishing, malware, ransomware, spear-phishing, identity theft, online privacy attacks, online scams etc.
  • Real-life scenarios – we evaluate users’ vulnerability to give company-related or pesonal data away using realistic web-pages.
  • User behavior analysis – we gather user data and compile it in extensive reports to give you a detailed picture of your employees’ security awareness level.
  • Malicious file replicas – our emails contain malware file replicas, to make the simulation as realistic as it can be.
  • Interactive lessons – if employees fail to recognize our traps and fall into one, they will be redirected to landing pages with quick reads on the best security practices.
  • We impersonate popular brands on our simulated phishing pages – the user will be more tempted to click on the URL or open the attachment in the email.

ATTACK Simulator’s Security Awareness Training program will help you equip your employees with the necessary security knowledge and up-to-date security practices to keep your company safe from scammers and avoid potentially irremediable damage.

Would your employees take the bait? Put them to the test with our free security awareness training trial and know for sure!


Security Magazine Attackers exploit Google Docs with malware, phishing

Avanan Google Docs Comment Exploit Allows for Distribution of Phishing and Malware

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.