Threat actors are now using Google Docs to send malicious phishing emails.

The emails, which resemble notifications sent by Google Docs, appear to be trustworthy to employees working remotely, Bleeping Computer reports. The scam apparently began last October. 

“Since Google itself is being ‘tricked’ into sending out these emails, the chances of email security tools tagging them as potentially risky are practically zero,” Bleeping Computer writes. The result: malicious links that lead to malware. 

In one instance, the email says:  “……..mentioned you in a comment.”

The threat is being monitored by Avanan, a threat analyst company.

This ongoing spear-phishing campaign uses over 100 Google accounts and has already hit 500 inboxes across 30 organizations, Bleeping Computer says.

The trick also works on Google Slide and Google Workspace. 

“To make things worse, attackers don’t have to share the document with their targets since mentioning them is enough to send malicious notifications,” Bleeping Computer continues. 

The threat actors “appear to favor Outlook users, but the target demographic is not limited to them,” it adds. 

According to Bleeping Computer, employees are advised to confirm that an email matches the claimed person, and to avoid clicking on links that arrive via email and are embedded on comments.