Have you received an email about a new comment in a Google Docs or other Google Workspace file you don’t recognize? Do not click the included link, as it’s likely part of a new source of spam emails that are abusing comments in Google Docs, Sheets, and Slides.
When working on a document in Google Docs, Slides, or any other Google Workspace app, you can add comments to suggest changes or simply act as footnotes. In these comments, you can also use @ followed by an email address to tag someone who you think needs to see that particular comment or portion of the Google Doc.
It seems that sometime this year — the earliest report we could find is from August — spammers realized that they could use Google Docs/Slides/etc comments to send any message to nearly any email address, and that the emails will come from a trusted sender, Google. Judging from multiple reports this month [1, 2, 3], and the fact that multiple members of the 9to5Google team received similar spam messages in the last few days, it seems that the spammers’ efforts may be ramping up.
If you’ve received one of these emails, the most important thing is that you do not click on the attached link, as it redirects to a malicious destination that will likely attempt to steal your account information. Otherwise, simply delete and disregard the email.
Should these emails become persistent, there’s actually an easy way to filter out these spam comments without affecting most incoming emails related to Google Docs and other Workspace apps, posted by Shulin Ye in the Gmail Help forum. As the spammers are not giving the tagged email addresses the appropriate access to leave comments of their own, each spam email contains the phrase “you do not have commenting rights.”
This latest attack is fairly similar to a longstanding issue with Google Drive that allows anyone to share malicious or unwanted files to any Google Account. Early last year, Google said they were “making it a priority” to find a solution to that issue.
Update 10/28: Google has shared with 9to5Google that they are “rolling out additional measures” specifically to prevent this type of spam from being posted in comments on Docs, Slides, and other Google Workspace files. These new preventions are just part of Google’s ongoing efforts to detect and shut down new spam campaigns.
How to eliminate Google Docs comment spam messages from your Gmail inbox:
- Open Gmail in a desktop/laptop web browser.
- Click on the downward arrow in the search box.
- In the box labeled “Has the words,” enter the phrase “you do not have commenting rights”.
Be sure to include the quotation marks!
- Click “Create filter,” then choose what you want to have happen to the email.
We chose “Mark as read” and “Skip the Inbox” so that any legitimate emails could be found again later, if needed. However, you may prefer to choose “Delete it.”
More on Google Workspace:
FTC: We use income earning auto affiliate links. More.