“Starting in December 2021, Avanan observed a new, massive wave of hackers leveraging the comment feature in Google Docs, targeting primarily Outlook users,” said researcher Jeremy Fuchs.
The comment feature across the Google suite has become an attack vector for hackers, he claimed in a report.
Avanan said it notified Google of this flaw on January 3, via the report phish through email button within Gmail.
Google was yet to react to the report.
In one such attack, hackers add a comment to a Google Doc. The comment mentions the target with an ‘@’. By doing so, an email is automatically sent to that person’s inbox.
“In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators,” said the report that came out on Thursday.