Skip to main content

Google Classroom invitations being abused to send spam emails, can’t be disabled

Google’s tools are once again being abused to send unwanted emails, with attackers now using Google Classroom to deliver spam.

Unwanted spam emails are nearly as old as email itself, with malicious groups constantly working on new tricks to have their messages bypass Gmail and Outlook spam filters. One of the best ways to get around a spam filter is to have an email come from a trusted sender, like Google. This is a strategy that attackers have employed countless times before.

The latest iteration, spotted by Artem Russakovskii, uses Google Classroom’s ability to send a class invitation to any email address. Before you click through, it should be noted that the example he shared is a bit NSFW.

As it stands today, Google Classroom is available to anyone and everyone with a Google Account, not just those with a paid Workspace account. By creating a classroom for free, you’re able to send an email invitation to anyone, including to those who don’t use a Gmail address. All an attacker needs to do is put their spam message into the class name and send out Google Classroom invitations. There doesn’t even seem to be a limit on how long the class name — and therefore spam message — can be.

Worse, as Russakovskii points out, there doesn’t seem to be a way to prevent Google Classroom from sending these unwanted spam invitations. The web app’s settings offer a toggle for “Email notifications,” but in our testing, this toggle does not consistently prevent invitation emails from being sent to your inbox.

The last time this type of issue cropped up was through the comments system in Google Docs, Sheets, and Slides, where one could tag any email address in a spam-filled document. It took over half a year for Google to roll out a solution, where it allowed people to block spammers and hide their unwanted files. Hopefully, this Google Classroom invitation spam will have a simpler fix.

Image: Google

More on Google Workspace:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Kyle Bradshaw Kyle Bradshaw

Kyle is an author and researcher for 9to5Google, with special interests in Made by Google products, Fuchsia, and uncovering new features.

Got a tip or want to chat? Twitter or Email. Kyle@9to5mac.com