A flaw has been deducted in the comment feature of Google Docs which is allowing cybercriminals to compromise users with phishing emails.
A unit of cyber threats has reported that the hackers are using the “Comments” feature of Google Docs to send malicious links in a phishing campaign. Researchers also unveiled in their findings that the group primarily targeted Outlook users.
Researchers from email collaboration and security firm Avanan, a CheckPoint company have discovered what they call “a new, massive wave of hackers’’ leveraging the comment feature in Google Docs during December 2021 to execute attacks, Avanan Cybersecurity Researcher/Analyst Jeremy Fuchs mentioned in a report that has been published on Thursday.
The team said that the hackers mentioned the target with an @ in the comment box of the users and by doing so an email was automatically sent to that person's inbox. The email includes malicious links and texts. Furthermore, researchers said that the email address of the commenter was not shown, just the name of the attacker.
The attackers who have already hit more than 500 users across 30 different locations, employing more than 100 different Gmail accounts, are difficult to be caught as of now, according to the researchers at Avanan.
"In this attack, hackers are adding a comment to a Google Doc. The comment mentions the target with an @. By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators," reinstates Jeremy Fuchs, cybersecurity researcher/analyst at Avanan.
Following the incident, Jeremy Fuchs shared an example in which he explained the whole incident, "let’s say the intended target has a work address of vic.tim@company.com. The end-user will have no idea whether the comment came from bad.actor@gmail.com or bad.actor@company.com. It will just say 'Bad Actor' mentioned you in a comment in the following document," Fuchs says. "If Bad Actor is a colleague, it will appear trusted. Further, the email contains the full comment, along with links and text."