Security News > 2022 > January > Google Docs commenting feature exploited for spear-phishing
A new trend in phishing attacks emerged in December 2021, with threat actors abusing the commenting feature of Google Docs to send out emails that appear trustworthy.
Google Docs is used by many employees working or collaborating remotely, so most recipients of these emails are familiar with these notifications.
Since Google itself is being "Tricked" into sending out these emails, the chances of email security tools tagging them as potentially risky are practically zero.
The trick has actually been under limited exploitation since October last year, and while Google has attempted to mitigate the issue, they haven't fully closed the vulnerability yet.
The same technique works on Google Slide comments too, and Avanan reports having seen actors leveraging it on various elements of the Google Workspace service.
Deploy additional security measures that apply stricter file-sharing rules on Google Workspace.