Does your organisation use Gmail and the larger Google Workspace? If you're a small business or tech company, you probably do. In fact, a whopping 92% of startups use Gmail; 60% of mid-sized businesses use it as well. More than 5 million businesses use Gmail.
Despite that, a lot of the security conversation is centred around Microsoft. That's certainly valid, but it's time we start talking about Gmail. That’s because Gmail remains an incredibly popular email service for businesses of all sizes. Plus, attackers are not only targeting email, but the entire Google Workspace, including popular apps like Docs and Slides. Without full-suite security, your Google Workspace is at risk.
This came to a head a few weeks ago, when Avanan, acquired by Check Point Software, published an attack brief about the Google Docs comment exploit. The attack occurs when a threat actor adds a comment to a Google Doc (or any part of the Google Workspace). The target is mentioned with an @. By doing so, an email is automatically sent to that person’s inbox.
In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators. We know, based on our research, which Google is about the middle of the road when it comes to preventing phishing emails from reaching the inbox:
Despite it faring better than other solutions, that's still plenty of attacks. Using our Threat Miss Calculator, consider a 500-seat organisation, where the average user sees about 20 emails a day. This are the results:
That's nearly three missed attacks per user, per month.
Or take an organisation with 6,500 employees:
You can see the issue. If you’re concerned about your Google Workspace security, listen to our webinar: https://www.avanan.com/cp/webinars/gmail-attacks
We'll go over some attacks that Gmail missed--which run the gamut from credential harvesting to ransomware--discuss how the entire G-Suite is weaponised, and how to stop the attacks that Gmail and others miss.