![]() ![]() ![]() Whether you’re an event planner or digital creator, it can be a challenge to stay on top of waivers, contracts, and other documents that need to be signed. Finally, the attacker doesn’t even have to share the document-just mentioning the person in the comment is enough.Īvanan notified Google of this flaw on January 3rd, via the report phish through email button within Gmail.You can easily sign important documents right in Google Docs. The victim never has to go to the document, as the payload is in the email itself. Further, the email contains the full comment, along with links and text. If Bad Actor is a colleague, it will appear trusted. It will just say “Bad Actor” mentioned you in a comment in the following document. The end-user will have no idea whether the comment came from or. For this example, let’s say the intended target has a work address of. They can then create a Google Doc, insert a comment and send it to their intended target. This makes it harder for anti-spam filters to judge, and even harder for the end-user to recognize.įor example, a hacker can create a free Gmail account, such as. Secondly, the email doesn’t contain the attacker’s email address, just the display name. Google is on most Allow Lists and is trusted by users. There are several ways that make this email difficult for scanners to stop and for end-users to spot.įor one, the notification comes directly from Google. It hit over 500 inboxes across 30 tenants, with hackers using over 100 different Gmail accounts. We primarily saw it target Outlook users, though not exclusively. In this email attack, hackers found a way to leverage Google Docs, and other Google collaboration tools, to send malicious links. This technique works across the Google suite. All the hacker has to do is mention it in the comment. In this email, Avanan researchers tested this flaw with an example comment that includes a malicious link. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators. In that email, which comes from Google, the full comment, including the bad links and text, is included. The comment mentions the target with an By doing so, an email is automatically sent to that person’s inbox. In this attack, hackers are adding a comment to a Google Doc. In this attack, hackers are utilizing productivity features in Google Docs to send malicious content. In this attack brief, Avanan will analyze how the comment feature across the Google suite has become an attack vector for hackers. Starting in December 2021, Avanan observed a new, massive wave of hackers leveraging the comment feature in Google Docs, targeting primarily Outlook users. This known vulnerability has not been fully closed or mitigated by Google since then. Last October, it was reported that hackers could easily send malicious links through comments in Google apps like Docs and Slides. Now, hackers have found a new way to do the same thing. In June, Avanan reported on an exploit in Google Docs that allowed hackers to easily deliver malicious phishing websites to end-users. That seamless nature is being targeted by hackers. ![]() Employees across the globe can work, in real-time, together. Google Docs, as well as the larger Google Workspace, is ideal for productivity and collaboration. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |