Comments Fields in Google Documents, Sheets and Slides Used to Launch Phishing Attacks

Be extra cautious about clicking on Google Doc and Google app links that allow tagging you for comments. Google Docs, Sheets and Slides also use comments that can be shared through email. Anyone can set up a Gmail account, but the recipient will not see the sender address only the account name. So the scammer can append @your company in the email message making it look legit. If in doubt, always good to contact the sender via alternative methods to verify.

“These attacks seem to be targeting Outlook users but not exclusively, says researcher Jeremy Fuchs, of Avanan. Attackers can easily create a fake Gmail account and tag users in links asking them to look over. Along with the message the attacker can include a phishing link.” An article in Tripwire explains.

"Avanan researcher Jeremy Fuchs writes that the latest attack he has seen targeted Outlook users – although not exclusively:

“It hit over 500 inboxes across 30 tenants, with hackers using over 100 different Gmail accounts.”
"The problem is compounded by the emails not containing the attacker’s email address, but just their display name.

In other words, a malicious attacker could create a free Google account of “”, for instance, and use it to pose as “”. If the intended target also worked at “” then they might easily be fooled into thinking it was a genuine notification about a comment left in a Google Doc by one of their colleagues.

The technique could be used to spread links pointing to malware, as well as phishing links that may attempt to steal login credentials from unwary users."

Have you seen these? Discuss it here!

Privacy Policy | Terms of Service