Shielding yourself: A guide to safeguard against the latest phishing technique exploiting Google Docs comments

By Arica Chhay

Protect your data and learn how to recognize the latest phishing technique, sent via Google Docs comments. This new tactic is difficult to prevent but recognizable once you know what signs to look for.

What Is Phishing?

Phishing (pronounced ‘fishing’) is a scam designed to acquire important information by masquerading as a reputable company. Often times, phishing scammers will prompt you to click a foreign link which results in important classified data being harvested.

The Google Docs Phishing tactic

Attackers have developed a new phishing tactic that involves using the comments feature of Google Docs to send phishing messages. To learn how to recognize this latest technique, take a look at the real example from Berkeley Lab provided below.

Action need, withdrawing funds id - 6648602128
1 comment
Action need, withdrawing funds id - 02573530
Linda Martinez 5:50 AM, Feb 19 (PST)
I've got a new Bitcoin transaction to share - take a look at it here: link

This particular comment was initiated from a malicious Gmail account, lindamartinezvhpthkcqnqq@gmail.com, which is glaringly obvious. However, note that the actual “from” address is “comments-noreply@docs.google.com.” Therefore, reporting the email as spam or phishing may not be entirely effective in preventing future emails from malicious Gmail accounts.

Google Docs is widely used in various institutions, including UC and DOE National Labs. It may take some time to differentiate between a genuine work-related comment and a fake one, especially since attackers use public websites to collect email addresses. Since the notification comes from a legitimate source, @docs.google.com, it’s challenging to filter or block all future instances of this type of attack. Be cautious of documents shared by unfamiliar email addresses and any comments that contain links.

The instructions provided below will assist you in reporting these emails to Google and allowing the filter to adjust.They will also explain how to block file sharing and comment notifications from specific email addresses. This phishing strategy is still new, so as a result, information regarding how to prevent these attacks may evolve as we learn more.

Report an email as phishing

On a computer, open Gmail in your web browser.
Navigate to the phishing message and open it.
Expand the 3 vertical dot menu in the top-right corner of the message window and select Report phishing.

Reply
Reply to all
Forward
Filter messages like this
print
delete this message
block
report spam
report phising in red box
show original
translate message
download message
mark as unread

Block the sender of a Google Drive file

You can block files shares from specific people in Google Drive, Docs, Sheets, or Slides. Blocking the sender of a Google Drive file will have the following effects:

They won’t be able to share files with you.
You won’t be able to share files with them, unless you unblock them first.
They can’t access any of your files and you can’t access any of theirs.
You won’t receive comment notifications from them in Google Docs, Sheets or Slides, unless you manually subscribe to notifications for all comments within that file.
Blocking doesn’t work on another lbl.gov account when using your own lbl.gov work email.
On a computer, open Gmail in your web browser.
Open a comment notification or Drive sharing email.
At the bottom of the email, click Block the sender.

block this person?
lindamartinezvhpthkcqnqq@gmail.com
The person will no longer be able to interact with you in Google Drive and certain other Google products

In the new tab that opens, click Block.

About the author

Arica Chhay
IT Communications Specialist
Lawrence Berkeley National Laboratory

Learn more about the IT Division at Berkeley Lab (Lawrence Berkeley National Laboratory) by visiting Berkeley IT Lab Homepage.