Since the beginning of December 2021, a new tendency in phishing attempts developed, with threat actors focusing on the Google Docs commenting function to send out emails that appeared trustworthy.
Because most of the Employees working or collaborating remotely, use Google Docs, most of the receivers of these emails are familiar with these messages.
Because Google is being “tricked” into sending these emails, their odds of being flagged as potentially dangerous are essentially zero.
Since October of last year, the method has been under restricted exploitation, and while Google has moved to reduce the problem, it has not yet been completely applicable.
The Attack Vector
Attackers create a Google Document with a Google account and comment it with a @ to mention the target.
The target then receives an email from Google telling them that some other user has commented on a document and mentioned them.

There are no checking/filtering procedures because the email comment might contain harmful links that lead to malware-dropping web pages or phishing sites.
Second, the threat actor’s email address is not displayed in the warning, leaving the receiver with only a name to go on.
This makes imitation incredibly simple while also increasing the performers’ chances of success.
Using the same method with Google Slides

This approach may be used on Google Slide comments, and it is claimed to have witnessed actors using it on several Google Workspace features.
To make matters worse, attackers don’t even need to share the document with their targets because simply referencing them triggers harmful alerts.
Attacks in the Wild and Protection Measures
According to security researchers, the threat actors behind these attacks favour Outlook users, but the target demographic is not limited.
Over 100 Google accounts are being used in this continuing spear-phishing attack, reaching 500 inboxes across 30 firms. The only way to protect yourself against this and any similar campaigns are to:
- Verify that the sender email corresponds to your colleague’s (or claimed person’s)
- Avoid clicking on links included in comments that you get through email.
- Implement extra security precautions for Google Workspace, such as tougher file-sharing regulations.
- Use an internet security solution with phishing URL protection from a reputable provider.