It seems like users are now paying the price for Google not fully closing or mitigating a vulnerability in the comment feature of Google Docs—since December a “massive wave” of hackers have exploited the flaw through impersonation and phishing to send malicious content to those using email—primarily Outlook—and Google Docs, according to researchers at Avanan.
The targets? Just about any end user.
Taking advantage of the “seamless nature” of Google Docs that lets employees collaborate in real-time around the globe, the hackers simply add a comment to a Google Doc that mentions the target with an @.
“By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included,” Avanan researchers wrote in a blog post. “Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators.”
Avanan observed the hackers hitting more than “500 inboxes across 30 tenants … using over 100 different Gmail accounts.”
“Weaponizing documents for phishing is a tried-and-true approach to establishing a foothold into an enterprise, and reinforces one of the fundamental truisms of the field: You can hack the systems or you can hack the humans,” said Tim Wade, technical director, CTO team at Vectra. “As it relates to hacking humans, this is always something of an arms race—adversaries are always pursuing novel ways of tricking humans via some trusted vehicle of delivery, while network defenders manage the fallout.”
At the end of the day, he said, “compromised users and systems will occur given time, motivation and resources on behalf of an adversary—detecting and responding to that inevitability before material damage can be done is the hallmark of an effective security program.”
The hackers Avanan tracked were able to circumvent scanners and avoid the watchful eyes of end users because the notification comes directly from Google, which is not only trusted by users but also appears on most Allow lists. “Secondly, the email doesn’t contain the attacker’s email address, just the display name,” the researchers said. “This makes it harder for anti-spam filters to judge, and even harder for the end-user to recognize.”
“Even before document creation and collaboration moved to the cloud, documents were an effective phishing and malware delivery tool for threat actors,” said Hank Schless, senior manager, security solutions, at Lookout. “The threat of fake or malicious email attachments is part of the reason that the MTA market was born, as organizations wanted a way to scan inbound messages for malicious attachments.”
With the mass migration to the cloud, “collaboration platforms like Google Workspace have long been leveraged by threat actors as an effective threat vector. Since so many organizations use these platforms to get work done more efficiently, especially across multiple internal or external teams, we’ve been conditioned to click into any notification we get from Docs, Sheets and Slides,” said Schless. “As with so many other tactics, threat actors rely on our inherent trust in certain platforms, apps, and devices to trick us into interacting with their nefarious campaigns.”
In the attacks observed by Avanan researchers, “it’s easy for actors to target anyone,” he said, including whole enterprises. “If they wanted to go after a particular organization and figured out the format of employee emails, then a quick LinkedIn search would tell them exactly who to go after,” said Schless. “Whether they come via email, SMS or a third-party messaging platform, the attacker could simply set up a fake Google login page and have the targeted user enter their credentials to gain access to the document they’re tagged in.”
And hackers only have to lure a single user into falling for their tricks. “Once an attacker has those legitimate credentials in hand, they can enter the infrastructure under the guise of a legitimate user and move laterally until they find valuable assets to exfiltrate or encrypt,” Schless explained.
No doubt, it’s time for organizations to up their game to safeguard against impersonation, phishing and other techniques. “This incident highlights the importance of having visibility into how your users interact with cloud apps and the data stored within them,” he said.
Indeed, “attackers abusing the Google Docs comment section for the sake of spreading malware and malicious links is another legitimate reason for security teams to extend their zero-trust architecture beyond the identity and network levels,” said Adam Gavish, co-founder and CEO at DoControl. “Applying the zero-trust model on the data layer can help achieve a least-privilege model and significantly reduce the scope for attackers to exploit loopholes such as the one within the Google Docs comment section.”
Avanan researchers suggested that organizations “encourage end-users to cross-reference the email address” in a Google Docs comment before clicking it to ensure its legitimacy.
“While this is a serious problem, it’s not significantly different from many other methods of phishing,” said Shawn Smith, director of infrastructure at nVisium. “Users should always be wary of links in emails—even emails from legitimate senders—due to the possibility of an account becoming compromised. It seems to me that this could be categorized less as an ‘exploit’ per se, and more so a case of a lack of spam prevention. In addition to checking links, users should also be hovering over links before clicking to confirm that the embedded hyperlink is sending them where they expect—and not to a completely different site than the link indicates,” said Smith.
If users are unsure that a sender is on the up-and-up, they should contact the legitimate sender for confirmation that they sent a document, Avanan said.