Glass building against a blue sky with the Google logo on the building

Google takes on Docs notification spammers

Cloud-based document suites have always been a hot target for scammers. When it’s easy to dip in and out for collaboration purposes, or just share things generally, then it’s likely that bad people will want in on the action.

In 2019, Google calendar users were wading through endless spam invites/event notificationswhen spammers worked out how to game the system. It was fixable, with the caveat that the fix was a multi-stage process. Quite likely a bit too much work for people who just want to access their calendars without spam, and who can blame them?

Anyway, these things come around time and time again. When a new feature appears, so too do the spam vultures. Time to cast our minds back to the end of 2020.

Of comments and exploits

The pandemic has helped nudge along additional features into collaboration tools to make remote work more straightforward. One such Google Docs revampis the “tag tool” which fetches lists of recommended people. This operates in a similar way to how when you type in a username on Twitter, it prefills a bunch of suggestions after the “@”.

So far, so good.

Around October 2020, spam messages via Google Docs came to light. Specifically: the comments feature. It’s worth noting this behaviour wasn’t just restricted to Docs; other apps like Slides were affected too.

Spammers figured out they were able to send messagesvia tagging to “nearly any email address” (as per this article). Inserting a tag would generate and send mail to the tagged individual’s mailbox, with the mail appearing to have come from Google. While we can question if that alone is enough to add the legitimacy sheen required, at the baseline it’s sailing past spam filters and related precautions.

The messages included everything from “inappropriate PDFs” and fake financial transaction links to more general bogus notifications and supposed financial compensation.

Filtering out the rogues

As with the workaround for calendar spam, the process to block the mails required setting up custom filters, although I suspect a lot of regular Google users didn’t bother with figuring out the mechanics of such a procedure.

As mentioned, one really big problem with this spam technique was the absence of additional sender information. Good news: Google has now addressed this. Notifications will now also show the commenter’s email address, in order to allow recipients to be sure about who it came from.

The change is scheduled to take place over a 15-day period, and as this rollout started on March 3rd, you may well already have the new functionality. According to the Times of India, this will also be a default option. No digging around for obscure options or menus, which is always appreciated.

If you’ve been weathering the storm of spam missives via Google apps over the last few weeks or even longer, then help is now officially on the way. Let’s hope we can all get back to being productive without the risk of bogus messages as soon as possible.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.