Google Workspace features spearphishers love most (And how they’re using them against you)

Sep 25, 2025

—

Your team has probably clicked "Sign in with Google" dozens of times without a second thought. They share documents, join meetings, and overall, collaborate seamlessly across your company’s Google Workspace. But here's what they don't realize: every single one of those clicks could have been a trap.

Everyone’s heard the warnings: “Don’t open suspicious emails”, “Don’t click unverified links.” Because the truth is that ONE click can cost you everything. 

And with all the warnings and possibly security trainings, the workforce is getting smarter …but so are spearphishers. They’re not bombing your team’s inbox with evidently suspicious emails (although some still do). The most sneaky ones, though, are hijacking the features and tools that make Google Workspace powerful for collaboration by turning them into weapons against your business.

The New Playbook: Why collaboration features are prime targets

Around 80% of phishing campaigns aim to steal credentials, especially targeting cloud services like Microsoft 365 and Google Workspace. According to the 2024 Verizon DBIR, 68% of data breaches happen because someone fell for a trick or made a mistake. Of those breaches, the Comcast Business Cybersecurity Threat Report says 80-95% are initiated by phishing attacks. 

The reality is that attackers have realized by now that bypassing your email filters is only half of the battle. For them, the biggest opportunity lies in the trust employees place in familiar collaboration tools.

How attackers weaponize your favorite Google Workspace features

1. Google Drive sharing notifications: Hiding in plain sight

One type of phishing method uses Google Drive’s collaboration features to trick people into giving out personal or confidential information. Scammers share Drive documents containing harmful links that ask people to enter information. 

Here’s how it works: An attacker creates a Google account, uploads a malicious document, and shares it with your employees. Because the email notifications come from Google, users might be tricked into thinking message contents are legitimate.

These email notifications include a note and a link asking the victim to click the included link to sign in to their Google account to collaborate on a project or fill out official HR forms, for example. To take it a step further, attackers will create a fake email address to impersonate an individual or department that the target may recognize as being part of the organization. They often use lookalike domains that are nearly identical to legitimate company domains, for instance, using omission tactics like tycho@flrbs.io instead of tycho@florbs.io, or transposition tricks like tycho@flrobs.io where letters are simply swapped around.

Real-world impact: Once attackers gain access through fake Drive shares, they can access your entire Google Workspace environment: customer lists, financial data, and confidential projects, all become accessible within hours of a single employee clicking on the link. In November 2023, a ransomware attack on cloud IT provider Trellance (accessed through the CitrixBleed vulnerability) took 60 U.S. credit unions completely offline for days, forcing them to shut down ATMs, online banking, and member services. This all left millions of customers unable to access their money during the holiday season.

 2. @Mentions and comment alerts: Automatic trust

Before Google’s 2022 security update, email notifications only contained the commenter’s name and not their email address, making it easy for malicious attackers to impersonate trusted colleagues. While Google has since added email addresses to notifications, many users still reflexively trust these messages.

Real-world impact: When employees fall for fake @mentions and comment notifications, attackers easily gain access because these messages look exactly like regular work communications. There’s no obvious red flag that would make someone pause before clicking. Stanford University experienced exactly this in May 2017 when a sophisticated Google Docs phishing attack compromised 650 Google accounts in just two hours, forcing the university to shut down email access and notify affected users about potential data exposure. All because employees clicked on what appeared to be legitimate document-sharing requests.

 3. “Sign in with Google”: The Single Sign-On oversight

Perhaps the most dangerous trend involves OAuth abuse, the technical system that powers the “Sign in with Google” buttons you see everywhere. When employees click these buttons to access third-party business apps, they’re granting those apps permission to access their Google Workspace data through OAuth tokens (essentially digital keys). Attackers exploit this by creating fake business apps that request extensive permissions, then targeting employees with emails promoting these “helpful” productivity tools. Once employees click “Sign in with Google” and authorize these malicious apps, attackers gain persistent access to their Google Workspace.

Real-world impact: These authorized app connections remain active even after you change passwords and force logouts, meaning attackers maintain persistent access to your Google Workspace until you manually discover and revoke each compromised app, which most organizations never do. Unlike traditional breaches, where changing passwords stops the attack, OAuth-based compromises continue indefinitely because the malicious apps retain legitimate access permissions. Organizations report discovering unauthorized third-party apps with extensive Google Workspace access months or even years after the initial authorization. During this time, attackers had continuous access to emails, documents, calendars, and any other data the fake app requested to have access to.

 4. Google Apps Script: The Trust Illusion

This is where things get sophisticated. Threat actors have found a way to exploit Google Apps Script, a legitimate development platform that Google provides for automating tasks and extending functionality. Attackers abuse this trusted platform to host phishing pages that appear completely legitimate, taking advantage of users’ trust in Google’s infrastructure. By misusing Google’s own environment, these criminals create an illusion of authenticity that makes it much easier to trick recipients into handing over sensitive information. The attack is particularly sneaky because the phishing email contains an invoice payment or tax-related call to action, but the malicious page sits on Google’s trusted domain, exactly where users wouldn’t expect danger.

Why traditional defenses fall short

Real-world impact: Because these attacks exploit Google’s legitimate infrastructure, they easily bypass traditional email security filters that are designed to trust Google domains. Your employees are 3x more likely to enter credentials on these fake pages compared to obvious phishing attempts, giving attackers immediate access to all connected Google services and any systems integrated via SSO. While specific company names haven’t been disclosed, Cofense documented attacks where criminals exploited Google’s platform to target companies in the disability and health equipment industry, compromising multiple employees through fake Microsoft login pages that appeared completely legitimate because they were hosted on Google’s trusted domain.

These spear phishing attacks succeed because they exploit the collaborative nature of modern work. Attackers impersonate trusted contacts, create fake login pages that mirror legitimate services, and send targeted messages that appear to come from internal departments. All designed to feel like regular business communications.

The problem? When these attacks abuse Google Workspace features, traditional security can fall short in telling the difference between legitimate collaboration and malicious activity because according to the filters, these are authentic Google Drive notifications, real Google Apps Script domains, and valid OAuth requests. And all of them are coming from Google’s trusted infrastructure. And, if your team(s) rely on Google Workspace to collaborate across the organization, how do you block Google when they depend on it for their daily operations?

What you need to know right now

• The attackers could already be inside your trusted environment. They’re hijacking the very features that make Google Workspace so effective for collaboration, using its trusted reputation to hide malicious activity. Do you have full visibility into who’s accessing what in your Google Workspace right now?

• Your biggest vulnerability isn’t technology. It’s trust. Both the links and websites are hosted on real domains and secured with valid SSL certificates, creating a false sense of legitimacy. Can you guarantee that no one from your team will click on something that looks completely legitimate?

• One click compromises everything. When users or admins don’t restrict permissions properly, attackers can move freely within an account or access sensitive data. Do you know exactly which third-party apps have access to your Google Workspace data, and when they were last reviewed?

Is your organization vulnerable to these attacks?

Here’s the hard truth: if you’re relying solely on Google’s built-in security and employee training, you could be vulnerable to the sophisticated attacks that are happening right now.

Take our 1-minute assessment to see how your Google Workspace security scores. You’ll get an instant security score and potential areas for improvement.

Because in Google Workspace security, what you don’t see definitely CAN hurt you.

→ Get Your Free Security Assessment 

Florbs - The Security Shield for Your Google Workspace

While Google provides some built-in security features, the sophisticated attacks we’ve outlined often slip through the cracks because they abuse legitimate Google services.

That’s where Florbs comes in. We help you protect data at scale without slowing down collaboration. Through our intuitive platform, we give you complete control over your Google Workspace security from day one.

Automated Control. Complete oversight. Florbs gives you full visibility into your Workspace, letting you put critical security workflows on autopilot. Manage on/offboarding and policy enforcement across every team and user without the manual chase.

Always-on protection. Zero surprises. Florbs runs 24/7, spotting risky activity and locking it down before it impacts your business and reputation. We neutralize targeted attacks and insider threats before they become incidents.

Enterprise-level security. Without the Enterprise costs. Get enterprise-grade protection without the enterprise price tag. Florbs delivers advanced, expert-level security that works from day one. No specialized staff or costly consultants required.