Jan 11, 2022
86 Views
0 0

Phishing lures await in Google Docs comments

Written by

Despite the increased use of productivity tools in the enterprise, email remains a favored attack vector for bad actors because credentials for platforms like Slack are less sought-after by cybercriminals. Attackers often initiate attacks from compromised email accounts. 
Phishing attacks cost U.S. companies $15 million on average in 2021, a stark rise from the 2015 average of $3.8 million, according to Ponemon Institute. Business email recovery costs almost $6 million a year for companies.
The Google Docs phishing threat does not even require legitimate emails for impersonation — only for targets. 
Because comment notifications are sent directly from Google, it’s on “most allow lists” for vetting emails, Avanan said. This allows bad actors to bypass traditional scanners, anti-spam filters, and the human instinct to question an email. 
Google only alerts users of who mentioned them in a comment, not the email address of that person, so users cannot if the sender came from inside the company.
Avanan illustrated the example with the address “[email protected].” If that user were to send a comment containing a malicious link, the target would only see “Bad Actor mentioned you in a comment,” the company said. 
If Bad Actor is a colleague, it will appear trusted,” Avanan wrote. “The email contains the full comment, along with links and text. The victim never has to go to the document, as the payload is in the email itself.” Bad actors don’t even have to share the entire document — the email notification will be sufficient for phishing. 
Exploits in Google Docs were uncovered in October 2020, and Shulin Ye in a Gmail Help forum posted guidance for mitigation. Google did not completely rectify the situation from 2020, and bad actors are taking advantage of the false safety alerts from the apps Google provides.
In June, Avanan found bad actors creating webpages resembling a Google Docs sharing page, and uploading them to Google Drive. “Simply insert this link into an email and hit send,” the company said. Avanan has since found a “wave” of attackers using email and the productivity tool as vectors via impersonation and phishing, this time with less effort through comment mentions. 
Follow on Twitter
Get the free daily newsletter read by industry experts
The pandemic created more business opportunity, but malicious actors dogged the company's technology stack. Now, the very same products touted as security defense tools are under fire. 
Insurers joined high-profile CEOs at the White House summit last week to discuss how to improve national cybersecurity. For one insurance CEO, the industry needs three points of improvement.
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Want to share a company announcement with your peers?
Share your announcement
The pandemic created more business opportunity, but malicious actors dogged the company's technology stack. Now, the very same products touted as security defense tools are under fire. 
Insurers joined high-profile CEOs at the White House summit last week to discuss how to improve national cybersecurity. For one insurance CEO, the industry needs three points of improvement.
The free newsletter covering the top industry headlines

source

Article Categories:
Cybersecurity News

Comments are closed.