Scammers Abuse Google Drive to Send Malicious Links

google drive malicious link

Cybercriminals are sending malicious links to hundreds of thousands of users via Google Drive notifications.

Scammers are leveraging a legitimate Google Drive collaboration feature to trick users into clicking on malicious links.

According to reports,, the recent attack stems from Google Drive’s legitimate collaboration feature, which allows users to create push notifications or emails that invite people to share a Google doc. Attackers are abusing this feature to send mobile users Google Drive notifications that invite them to collaborate on documents, which then contain malicious links.

Because they are sent via Google Drive, the notifications come from Google’s no-reply email address, making them appear more legitimate. Other iterations of the attack are sent via email (instead of by notification) and include the malicious link right in the email.

“Interesting TTP utilising Google Sheets, ultimately ending up with generic prize scams,” said a cybersecurity expert who goes by Jake (or @JCyberSec)  on Twitter. “Google sheets slide was shared with an email address causing a pop-up notification on mobile.”

The attack is targeting hundreds of thousands of Google users, according to WIRED. The report said that the notifications are being sent in Russian or broken English.

The Google Drive notifications come with various lures. Many purport to be “personal notifications” from Google Drive, with one lure entitled “Personal Notification No 8482” telling the victim they haven’t signed into their account in awhile. These threaten that the account will be deleted in 24 hours unless they sign in via a (malicious) link. Another, entitled “Personal Notification No 0684,” tells users they have an “important notice” of a financial transaction that they can view on their personal account, via a link.

One purports to be a run-of-the-mill prize scam that pretends to be part of a “Chrome Search contest 2020” and tells victims that they are the 5-billionth search and have won a prize.

These links take victims to malicious scam websites. WIRED reported that one such website flooded users with notifications to click on links for “prize draws,” while other websites requested that victims click on links to “check their bank account.”

Targeted users took to Twitter to warn of the scams, with one Twitter user saying that the only red flag of the scam was that he wasn’t expecting a shared doc.

A Google spokesperson told WIRED that the company is working on new security measures for detecting Google Drive spam. Threatpost has reached out to Google for further comment.

With the prevalence of working from home due to the coronavirus pandemic, attackers are increasingly leveraging collaboration and remote-work tools, including Google offerings. In May, researchers warned of a series of phishing campaigns using Google Firebase storage URLs. These used the reputation of Google’s cloud infrastructure to dupe victims and skate by secure email gateways. Meanwhile, researchers in October warned of a phishing campaign that pretends to be an automated message from Microsoft Teams. In reality, the attack stole Office 365 recipients’ login credentials.

“This scam wave highlights the need for users to be on the lookout for email-borne attacks,” according to Tripwire researchers. “Organizations can help their users in this regard by educating them about some of the most common types of phishing attacks that are in circulation today.”

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

Suggested articles

5 Steps For Securing Your Remote Work Space

5 Steps For Securing Your Remote Work Space

With so many people still working from home, cybercriminals are trying to cash in. Cyberattacks have increased 300% and the risk of losing important data or being compromised is much greater at home.

Here are five recommendations for securing your home office.


  • Google User on

    I have been getting these for years. I have a case open with Google and they have done nothing about except give me the run around.
  • Mike on

    I, too, have recently been getting a handful of these notifications. It's terribly obvious that it's just spam/phishing, so the threat to my security is relatively low. However, it's exceptionally annoying.
  • Stephanie on

    Same here
  • Mike Honcho on

    I received one of these Google Drive exploits recently. In the past, I've received something similar via Google Calendar that populated my calendar with russian "appointments". I had to delete each individual entry, I could find no way of removing them all together.
  • Matty-Boy on

    I get them every day, drives, slides, it's absurd and annoying. There needs to be something done, a patch, or a validation upgrade. It is getting very old, and I don't want to have to deal with this indefinitely.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.