The comment features in Google Docs is being exploited by hackers to spread malicious spam and phishing messages.
  • Fraudsters are creating Google documents, spreadsheets and presentations. In the comments section of these documents they are adding comments that ‘tag’ a targeted victim’s email address.
  • Victims then receive an email that refers to the comment in the document. There is a live link in the email to the ‘comment’. If the link is clicked malware then downloads.
The problem is that Google sees the tagged email address in the comment as legitimate. It then automatically sends a link to the document’s content, which unknowingly also includes the malicious links.
  • Because the emails are sent by Google they look legitimate and certainly not a phishing mail. The problem is compounded by the emails not containing the attacker’s email address, but just their display name.
In short the emails look legitimate and an unwary user, their curiosity piqued by the email, could easily click on the malicious link.

An attacker can create a free Google email account and name it, for instance, as jasminerandall@topshop.com to pose as an employee of the fashion retailer Top Shop. As such they could then target employees of the retailer who may will be fooled into thinking it’s a genuine notification about a comment left in a Google Doc by one of their colleagues.

At the same time home users can be equally fooled and may just click on a malicious link because the email looks legitimate and they think the document has been mistakenly sent to them. To date, the recipients of these emails have largely been people with Microsoft Outlook email addresses.
  • As of 2020 Google G Suite, which includes Gmail, Google Docs, Google Sheets and other productivity tools, had over two billion monthly active users. The pool of potential victims is certainly large which may spur on cyber villains to exploit this ‘flaw’ on an ever larger scale.
  • As always, be cautious about clicking on suspicious links even if the email appears to be genuine. And specifically with Google Docs, contact the sender by some other means to see if they genuinely tagged you in a Google Doc.
  • The same caution should also be applied to other collaborations apps too such as GoToMeeting, Slack, Dapulse and others. If you’re not working on a shared document and receive a notification about a shared document proceed with caution.