Watch Out for Gmail Bait & Google Doc Comments Attacks

January 20, 2022

Cybercriminals are always looking for fresh ways to get close to their victims and catch them when they’re least expecting it. Savvy employees paid attention during security awareness training and know at least some of the common red flags that indicate a message isn’t as benign as it seems. That creates a big problem for the bad guys. So they have to come up with novel ways to get their malicious messages to their targets and convince these targets that communications are harmless by popping them up in uncommon places or delivering them in unexpected ways – like these two creative phishing schemes involving Google Workspace and Gmail. 


Learn how incident response planning boosts cyber resilience & security. GET THE EBOOK>>


Cybercriminals Leave No Stone Unturned


Getting their messages to Google users is important for bad actors. Many businesses take advantage of the free, useful tools that Google Workspace and Gmail provide. A bane to cybercriminals and a boon to users, Google in general and Gmail specifically have a respectable history of catching phishing messages and spotting malicious links. The company claims to have blocked 1.6M messages to targets, displayed 62K Safe Browsing phishing page warnings, blocked 2.4 K files and restored 4K accounts since May 2021, decreasing the volume of related phishing emails on Gmail by 99.6%. 

But that’s not stopping cybercriminals from trying to get their poisonous cargo through to snag unfortunate users. A study found that 1 in 3 employees are likely to click the links in phishing emails. to cybercriminals, barriers are just challenges, which means just that they have to use some creativity to overcome them and there’s never a shortage of that when it comes to cybercrime. Instead of trying to slip a conventional phishing email through security, they’re taking two new approaches to catch employees in their phishing operations.  


See how to avoid cybercriminal sharks in Phishing 101. DOWNLOAD IT>>


Gmail Bait Phishing Schemes 


This devious variety of phishing is heavily based on social engineering and seems to count on the fact that employees (and security solutions) are on the lookout for the common signs of a phishing message like bad grammar or misspellings. Sometimes called “reconnaissance attacks” The aim of these phishing messages is to lure the recipient into a false sense of security that will entice them to click a link or download a file by establishing a friendly dialogue. 

In most cases, bait phishing starts with a seemingly innocent, cordial message that can serve two purposes: testing and/or penetrating the intended recipient’s email security defenses and verifying that the email address is in active use. This message generally doesn’t contain any malicious links or files, nor does it solicit any action from the recipient beyond a response. The bad guys’ goal is to locate potential targets who are likely to interact with future messages and kick off a conversation.  

If the target is receptive to the first message, typically indicated by responding to the initial email, the scammer then starts the general phishing process, and future messages may go after their credentials or carry malicious links or attachments. These messages are also better at penetrating security, with fewer red flags like improper formatting that would tip off a security solution. It is common for the messages in this version of phishing to originate from Gmail – 91% of cybercriminals engaged in bait phishing utilize Gmail, and they benefit from the fact that Gmail is so commonly used that those new Gmail addresses aren’t going raise suspicion or be on anyone’s blacklist. 


Learn the secret to ransomware defense in Cracking the RANSOMWARE Code. GET BOOK>>


Google Docs Comment Phishing Schemes 


Security awareness training works. Many people have become more aware of phishing and the potential traps that the bad guys use to catch the unwary. We’ll look twice at attachments and be cautious about clicking strange links or interacting with unexpected messages, even on social media. But that doesn’t stop phishing practitioners from shooting their shot, so they’re alert for creative ways to do it like a relatively new phishing scheme that’s underway now. The aim of this style of phishing is to get malicious links into a place where the intended victim would be least expecting it: in the comments on a Google Doc.  

Starting in fall 2021, IT experts sounded the alarm about the ease with which hackers could send malicious links to unsuspecting targets by inserting them into the comment sections of documents created in commonly used Google Suite applications like Docs and Slides. By year’s end, businesses were looking at a flood of attacks that leveraged that vulnerability and the productivity features included in Google Docs to send users malicious content. 

Many of these attacks follow the same patterns. To kick off the operation, a bad actor creates a Google Doc or similar file in another Workspace application. That bad actor then adds their victim to the document by @ commenting them in the comments feature. By doing that, the target is automatically sent an email with a link to the Google Docs file. The email displays the full contents of the comment, including the bad links and other text added by the attacker.  The victim never even has to interact with or open the document; the notification email still contains the malicious content, getting the job done for the bad guys. 

This is an especially sinister phishing variant because it leverages so many social engineering cues while staying outside the box of a classic phishing scam. If a company uses Google Workspace in the course of everyday business, employees will receive a plethora of notices that they’ve been mentioned in a comment. Those seemingly routine messages will fly under the radar, and the recipient doesn’t even need to have access to the document in question to be sent a malicious link. It’s worth pointing out that the malicious message doesn’t contain the creator’s full email address, just their username. In a tightly targeted attack, a bad actor would even choose a username that would seem personally appealing and harmless to the recipient, like a colleague or family member’s name.  


How safe is your email domain? Find out now with our domain checker. CHECK YOUR DOMAIN>>


Rely on Email Security That Isn’t Fooled by Social Engineering Tricks 


These are just the latest entries in a long, ugly string of lures that cybercriminals use to snag unwary employees into falling for the bait – or snag traditional email security solutions and SEGs into believing that the malicious message is harmless. But an AI-driven security solution like Graphus isn’t going to fall for it. The protection from phishing messages that companies gain with Graphus isn’t dependent on human intervention through safe sender lists or threat intelligence updates to get the job done.  

Instead, AI enables it to make smart choices that take into account a message’s content, not just the email address and subject line. The Graphus algorithm uses more than 50 points of comparison to adjudicate incoming messages. It never stops learning, automatically refining your company’s protection with every interaction to learn your company’s unique communication patterns and quickly spot anomalies.  

That’s one reason why AI-powered, automated email security is 40% more likely to catch a phishing message than conventional solutions or a SEG. Let us show you the other reasons why Graphus is the right email security solution for your business. BOOK A DEMO>> 



Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus