Abusing legitimate sites for illegitimate purposes.
N2K logoMar 9, 2023

Google services abused to send phishing links.

Abusing legitimate sites for illegitimate purposes.

Avanan warns that an ongoing phishing campaign has abused comments in Google Workspace documents to target nearly a thousand companies over the past two weeks.

Phishing messages via legitimate Google notifications.

The researchers explain that an attacker can create a free Google account, then simply mention the targeted user in a Google sheet. The target will then receive a legitimate notification from Google informing them that they’ve been mentioned in the document. If the recipient clicks the Google Scripts link included in the email, they’ll be redirected to a phony cryptocurrency site.

While the delivery technique is effective, Avanan notes that the social engineering aspects of this particular campaign could use some grammatical refinement. The message written by the scammers states, “Hello dear user of the system! They wrote to you to the account the withdrawal of cash, nevertheless, You have not ordered a withdrawal.” (And of course, “sic”--that’s how the crooks write.)

Avanan warns, however, that users should be on the lookout for more sophisticated campaigns using this technique.


Avanan outlines some security best practices for users:

  • “Before clicking on Google Docs comments, encourage end-users to cross-reference the email address in the comment to ensure it’s legitimate
  • “Remind end-users to utilize standard cyber hygiene, including scrutinizing links and inspecting grammar
  • “If unsure, reach out to the legitimate sender and confirm they meant to send that document”