Threat actors abuse Google Docs to spread phishing attacks

Threat Actors Google Docs Phishing Attacks Digital Risk Email Phishing Brand Abuse

Even Google Docs has not been spared from being abused in cyberattacks, as researchers found that threat actors are exploiting its commenting feature to execute phishing attacks since December last year.

Many employees globally are familiar with how Google Docs email alerts work. Receiving such alerts on their Gmail accounts might make them curious to open it, endangering their safety from attacks. Moreover, Gmail’s security tools do not tag the alerts as risks since the alerts will seem like safe ones.

Since October last year, Google has known the vulnerability despite being aggressively executed around December. The tech giant has also attempted to mitigate it to no avail.


As the phishing campaign made noise all over the cyber threat landscape, experts analysed how the Google Docs exploitation attack works.


With easy-to-make phoney Google accounts, threat actors create the Google Doc and then mention victims’ Gmail addresses in its commenting feature, which alerts them on their email inboxes. These comments carry malicious links that can lead the victim into malware-dropping or phishing websites if they choose to open them without thinking carefully.

In addition to the attack’s attributes, the victims will not be able to see the email address of the threat actor in the email alert aside from a name – which is a fake one. With this kind of impersonation attribute, the chances of the attack success are high. Threat actors also do not need to share the document with their targets since mentioning them on the comment feature is enough to alert and bait them on their inboxes.

Aside from Google Docs, experts have also seen threat actors exploiting Google Slides since the same attack technique works on the tool.

More than 100 Google accounts have already been created to execute this ongoing spear-phishing campaign that exploits Google Docs, and it has reportedly already hit over 500 victims throughout 30 organisations.

As Google account users, people must also do their part in keeping themselves safe from the campaign. Experts recommend always verifying if the sender of any email alert came from someone familiar to the recipient, such as their family or colleagues. Second, avoid unhesitantly clicking on any links that you receive in your inbox, especially if it seemed suspicious in the first place.

If possible, users are also advised to implement additional security measures available on Google Workspace, specifically those that apply in file-sharing settings. Using security solutions or software from trusted vendors with phishing URL protection could also protect users from such attacks.

About the author

Leave a Reply