December saw a rise in Google Docs being used to send malicious emails as threat actors abused the comments feature to send messages which are hard to differentiate from legitimate messages from colleagues.

According to a new report from security firm Avanan, the comments feature of Google Docs and Google Sheets can be abused to send emails containing malicious and phishing links very easily.   When creating a comment in a Google Docs file, you can mention another user by using the convention @<name> which will cause Google to automatically send that person an email including the contents of the comment and any url contained within it.  This feature is ripe for abuse because the email from Google only include the name but not the email address of the person who created the comment – making it trivial to impersonate another user and increase the chances of the victim clicking on the link embedded within the comments.

The notification emails are sent directly from Google and do not contain the email address of the originator making it harder for spam filters to differentiate them from legitimate Google Docs notification emails.

Until Google adjust the notification emails to make it easier to spot malicious senders, the best defence is reminding your team to be on the lookout for phishing emails and reinforce the principles covered in your security awareness training namely:

• Consider if this email is expected from this person – if not, check with the sender by phone before clicking any links
• Is the system one used by your company – is a Google Doc comment expected if your business usually uses Microsoft 365 products?