google doc weaknessFrom students to corporate executives, workgroups of all types benefit from both Google Docs and the larger Google Workspace platforms. Due to the preponderance of remote work during the pandemic, groups have remained productive thanks to the productivity these programs have made possible. However, hackers have also discovered the rich trove of opportunities.

In June, an exploit in Google Docs was discovered. It gave bad actors a way to send phishing websites to end-users. Four months later, they expanded their scheme and figured out how to send similar links via comments in apps like Docs and Slides. In December, further vulnerabilities were discovered that impacted Outlook users who were taking advantage of the program’s comment feature.

The attack commonly occurs when a hacker adds a comment to a Google Doc that mentions a targeted person’s name. As a result, the target is automatically emailed the complete statement, including a malware-infested link. More disturbingly, the email comes from Google itself, which is trusted by most users and is not usually sent to spam via a filter. Moreover, the notification only shows a display name and does not contain the bad actor’s email address. That makes it even more difficult for an end-user to filter out or recognize the criminal nature of the phishing attempt.

The best way to protect yourself against this form of attack is to do the following:

  • Never click on a Google Docs comment without first viewing the email address to make sure it is legitimate
  • When in doubt, contact the sender before taking further action
  • Emphasize the importance of standard cyber hygiene practices
  • Shield the security of your entire software suite

Collaboration and file-sharing remain crucial in today’s global society. Build up a solid digital perimeter to safeguard both end-users and the data they transmit.