Someone Just Weaponized Google Docs to Spam Me: The Cold Outreach Tactic That Bypasses Every Spam Filter

Someone used Google Docs to spam me this morning. I opened my inbox and saw a notification from Google Docs.

"Ana Scott assigned you an action item."

My first thought: did someone on our team share a doc I missed? Did a client tag me in something? I almost clicked it.

Then I read the preview.

"@[email protected] hello Peter, i'm Ana from Softaims. we help companies scale with custom software development, mobile solutions, AI/ML, and workflow automation."

That's not a collaboration request. That's a cold sales pitch. Disguised as a Google Docs notification. Delivered through Google's own servers. Sitting in my inbox like it belongs there.

And I'm calling it out.

What Happened: The Full Email

Here's exactly what landed in my inbox on February 11, 2026, from [email protected]:

From: Ana Scott (Google Docs)
Sender email: [email protected]
Subject line: "40 hour of senior... - @[email protected] hello Peter,..."

The email stated that Ana Scott "assigned you an action item" in a document titled "40 hour of senior developer." The comment contained her full cold pitch:

@[email protected]

hello Peter,

i'm Ana from Softaims. we help companies scale with custom software development, mobile solutions, AI/ML, and workflow automation.

our engineers have enterprise experience and we're happy to run a 20-40 hour POC on your timezone to show what we can deliver.

drop me a line at [email protected] with whichever fits:yes, we have a current needschedule a 15-30 min discovery sessionkick off a 40-hour proof of conceptcheck back another timepass for now

appreciate your time.

-- Ana Scott ([email protected])

PS: we also help companies automate with AI -- most see 30-40% ops savings. if that sounds interesting, i can audit your workflows too.

The email included an "Open" button and a link to "View files with action items assigned to you."

At the very bottom, Google's standard footer included a small note: "If you don't want to receive files from this person, block the sender from Drive."

That last line is the only defense Google gives you. And most people don't even notice it.

How This Tactic Works (And Why Your Spam Filter Can't Catch It)

This isn't traditional email spam. It's something more insidious. Here's the step-by-step mechanic:

Step 1: The Attacker Creates a Google Doc

Anyone with a free Google account can create a Google Doc. No special tools, no hacking required.

Step 2: They @Mention Your Email in a Comment

By typing @[email protected] in a comment on any Google Doc, Google's system registers your email as a participant. You don't need to be shared on the document. You don't need to have any prior relationship with the person. Just an @mention in a comment is enough.

Step 3: Google Sends the Notification Email

This is where the magic (and the abuse) happens. Google automatically sends a notification email from [email protected] to the mentioned email address. This email:

Passes SPF (Sender Policy Framework) because it's genuinely sent from Google's mail servers
Passes DKIM (DomainKeys Identified Mail) because Google's servers sign it
Passes DMARC (Domain-based Message Authentication) because SPF and DKIM both pass
Contains the full comment text so the recipient doesn't even need to open the document
Appears as a legitimate Google notification in every email client

Step 4: The Pitch Lands in Your Inbox

Your email security system sees a perfectly authenticated email from Google. It lands in your primary inbox, not spam. The attacker's message is delivered with Google's implicit endorsement.

Why Traditional Defenses Fail

Defense Layer	Why It Fails
SPF/DKIM/DMARC	All pass. The email IS from Google.
Spam filters	Google is an allowlisted sender in virtually every email system
Content filtering	The message appears within a standard Google notification template
Sender reputation	Google's domain has perfect reputation scores
AI-based detection	The email structure matches legitimate collaboration notifications

The only thing separating a real Google Docs collaboration notification from this spam is context. And most people process context after they've already clicked.

A Brief History of Google Docs Comment Spam

This tactic didn't start this morning. It's been a documented problem for over five years, and the timeline tells a frustrating story of cat-and-mouse between Google and spammers.

October 2020: First Widespread Reports

9to5Google reported that spammers had discovered they could exploit the comment and mention features in Google Docs, Sheets, and Slides to send spam emails to any address. Google acknowledged the issue and said they were "rolling out additional measures" to prevent it.

Source: 9to5Google, October 2020

January 2022: Security Researchers Sound the Alarm

Avanan (now part of Check Point Software) published research showing coordinated phishing campaigns using Google Docs comments. Their findings:

Over 100 Google accounts were used to distribute malicious content
Approximately 500 inboxes across 30 organizations were targeted
The campaigns primarily targeted Outlook users, though any email client was vulnerable
The attacker's email address was NOT shown in the notification, only a display name, making impersonation trivially easy

Source: BleepingComputer, January 2022

March 2022: Google's First Major Fix

Google began rolling out a change to show the commenter's email address in notification emails. Previously, only the display name was shown, which made impersonation easy. The rollout started March 3, 2022 and took 15 days to complete.

This was an improvement. Now you could at least see that the mention came from [email protected] rather than just "Ana Scott." But the fundamental problem remained: anyone could still @mention any email and trigger a notification.

Source: Malwarebytes, March 2022

November 2021: Google Adds Block Feature

Google introduced the ability to block specific users from mentioning you in Docs, Sheets, and Slides. Blocked users could still attempt to interact, but their notifications wouldn't reach you.

Limitation: you can only block someone after they've already spammed you. It's reactive, not preventive.

May 2023: Google Drive Gets a Spam Folder

Google added a dedicated spam folder to Google Drive, similar to Gmail's spam folder. Key features:

Automatic classifiers redirect suspected spam files to the spam folder
Manual marking: users can move files to spam or report them
Moving to spam unsubscribes you from the file's notifications
Auto-deletion: spam files are permanently removed after 30 days

Source: Google Workspace Blog, May 2023

February 2025: Universities Still Warning Students

Montclair State University published a security advisory warning students about Google Docs phishing scams, noting that cybercriminals are using fake Google Doc shares to steal credentials and install malware. The university's Phish Files blog confirmed these attacks are "on the rise."

Source: Montclair State University, February 2025

February 2026: The Sales Variant

And here we are. The tactic has evolved from malware distribution and phishing into cold outreach. Companies like Softaims are now using the exact same mechanic that phishers use, but instead of stealing your password, they're stealing your attention.

Is it as dangerous as a phishing attack? No. Is it using the same exploitative technique? Yes. Is it the kind of behavior that should disqualify a company from your vendor shortlist? Absolutely.

The Cold Outreach "Growth Hack" Problem

What makes this particularly gross is that this technique isn't just being used by lone wolves. It's being taught.

There are actual guides, Substack posts, and LinkedIn threads explaining how to use Google Docs sharing as a "cold outreach strategy." The argument goes something like this:

Sharing a Google Doc feels like giving someone value
It "invokes the Rule of Reciprocity" because you gave them something
It "lowers prospects' reflex against being sold to"
Prospects who interact with a shared doc are "more likely to reply"

Here's the part they leave out: the prospect didn't ask for your doc. They didn't opt in. They didn't give you permission. You're using Google's notification system to bypass their email filters and insert yourself into their inbox under false pretenses.

That's not the Rule of Reciprocity. That's the Rule of Trespassing.

The difference between legitimate outreach and this tactic is consent. A cold email, even an unwanted one, arrives through normal channels that the recipient has chosen to filter however they want. A Google Docs comment notification circumvents those choices entirely.

Why I Would Never Work With a Company That Does This

I'm going to be direct about this: if I were evaluating outsourced development teams (which I do regularly as a CTO), and I discovered that a company's customer acquisition strategy included exploiting Google Docs comments, I would immediately disqualify them.

Not because the pitch was bad. Because the judgment is bad.

Here's the chain of reasoning:

They chose the easiest path over the ethical one. This tactic works (short-term) because it bypasses defenses. A company that defaults to "what can I exploit?" rather than "what can I earn?" will make the same choices when building your software.
They don't respect boundaries. If they don't respect your inbox boundaries, will they respect your codebase boundaries? Your security requirements? Your deployment processes?
They prioritize volume over quality. This is a spray-and-pray tactic. Create a doc, blast @mentions to a list, see who bites. It's the opposite of the thoughtful, targeted approach you'd want from a team building custom software.
They're willing to damage the tools everyone depends on. Google Docs comments exist for collaboration. Every spammer who abuses this feature makes Google more likely to restrict it, which hurts legitimate users. Companies that degrade shared infrastructure for personal gain aren't companies I want touching mine.

A Direct Message to Softaims and Ana Scott

Ana Scott ([email protected], [email protected]) and Softaims (tryechohq.com): your outreach just became content. And not the kind that generates leads.

I don't know if Ana personally chose this tactic or if someone on the team decided it was a clever growth hack. But here's what was accomplished today:

You didn't get a client
You got publicly called out
You demonstrated to every potential customer who reads this that your company's first instinct is to exploit a loophole rather than earn attention honestly
You made it into the same category as phishers and scammers in my inbox, and now in this article

The irony of a company that offers to "help companies automate with AI" and "audit your workflows" using one of the most universally despised outreach tactics on the internet is... something.

How to Protect Yourself: A Complete Guide

If you've received Google Docs comment spam (or want to prevent it), here's your playbook:

Immediate Response (When You Get the Spam)

1. Block the sender in Google Drive

At the bottom of the notification email, Google includes a link: "If you don't want to receive files from this person, block the sender from Drive." Click it. This prevents future notifications from that specific Google account.

2. Do NOT open the document

The full pitch is already in the email notification. Opening the document gives the sender information about you (they can see who viewed the doc) and potentially exposes you to additional embedded links or tracking.

3. Report the document as spam in Google Drive

If the document appears in your Google Drive, right-click it and select "Report spam" or "Report abuse." This helps Google's automated classifiers learn to catch similar patterns.

Preventive Measures

4. Create a Gmail filter

Set up a filter that catches common patterns in these spam notifications:

Search criteria: from:([email protected]) "assigned you an action item"
Action: Skip inbox, mark as read, or delete
Alternative search: "you do not have commenting rights" catches cases where you were mentioned but not given doc access

5. Check your Google Drive spam folder regularly

Since May 2023, Google Drive has a spam folder in the left navigation panel. Files that Google's classifiers flag as suspicious land here. Review and clear it periodically. Files in the spam folder are auto-deleted after 30 days.

6. Be skeptical of unexpected Google Docs notifications

If you didn't initiate or expect a collaboration, treat any Google Docs notification with the same suspicion you'd give an unexpected email attachment. Check the sender's email address (Google now shows it in the notification) and verify whether you have a legitimate reason to receive it.

For Organizations

7. Educate your team

Most people assume Google Docs notifications are legitimate because they come from Google. Include this tactic in your security awareness training. Show employees what these spam notifications look like and how they differ from real collaboration requests.

8. Consider Google Workspace admin controls

If you're a Google Workspace admin, review your sharing settings. You can restrict external sharing and limit who can share files with your organization's users. While this doesn't completely prevent comment @mentions from external users, it can reduce the attack surface.

9. Monitor for patterns

If multiple team members receive similar Google Docs spam, report it collectively. Pattern-based reports give Google better data to train their classifiers.

The Fundamental Problem Google Hasn't Solved

Despite five years of patches and improvements, the core vulnerability remains:

Any person with a Google account can @mention any email address in a Google Doc comment, and Google will deliver a notification to that email address.

Google's fixes have been incremental: show the email address, add blocking, add spam filters, add a Drive spam folder. But the fundamental mechanic is unchanged. Until Google adds a consent layer (like "only send me notifications from contacts" or "require confirmation before delivering notifications from unknown users"), this will keep happening.

And the longer Google leaves this mechanic open, the more it gets exploited. What started as phishing has evolved into a cold outreach "strategy." What comes next will probably be worse.

UPDATE: Two Hours Later, Another Underhanded Tactic

I published this article this morning. Two hours later, I got hit with a second underhanded cold outreach tactic. The universe apparently wanted me to write a sequel.

This time it was Jessica Bamber from MediaBloom ([email protected], reply-to [email protected]), using a different exploit: hijacking email marketing platforms to send cold outreach disguised as newsletters.

How This One Works

The tactic: open an account on a legitimate email marketing platform (in this case Constant Contact, hence the ccsend.com domain), import a scraped or purchased email list, and send an unbranded "newsletter" pitching your services. The email passes security checks because it's sent via Constant Contact's verified infrastructure, just like the Google Docs exploit passes because Google's servers send the notification.

Same principle. Different tool being abused.

Jessica's pitch was for a "Lead Resurrection System" that uses "AI voice, SMS, and email" to re-engage old leads. The irony of a company promising to "revive dead leads" by spamming people who never opted in is... chef's kiss.

Why This Matters: Constant Contact Explicitly Prohibits This

Constant Contact's acceptable use policy explicitly prohibits the use of purchased, rented, or scraped email lists. Every major email marketing platform does. So MediaBloom isn't just being scummy, they're violating the terms of service of the tool they're using to be scummy.

The CAN-SPAM Loophole

Here's what makes this technically murky: the CAN-SPAM Act does not require opt-in consent before sending commercial email. Unlike GDPR (which requires explicit consent), CAN-SPAM operates on an opt-out model. As long as you include an unsubscribe link, a physical address, and identify the message as commercial, you can legally email someone who never asked to hear from you.

Each violation can result in penalties up to $53,088 per email. The FTC has enforced this: Verkada paid $2.95 million and Experian paid $650,000 in CAN-SPAM settlements. But enforcement is rare, and the opt-out model means most cold email exists in a legal gray zone.

Critical: Do NOT Click Unsubscribe on Spam

This is the part most people get wrong. When you get spam like this, your instinct is to click "Unsubscribe." Don't.

Here's why:

Clicking unsubscribe confirms your email is active. The sender now knows:

Your email address is real
Someone reads emails at this address
You're engaged enough to take action

That data is valuable. It gets shared, sold, or used to send you more targeted spam. You just went from "maybe valid email on a scraped list" to "confirmed active prospect."

Loading images triggers tracking pixels. Most marketing emails contain invisible 1x1 pixel images that fire when the email is opened. These tracking pixels collect:

Your IP address (and approximate location)
Your device type and operating system
The exact time you opened the email
Whether you clicked any links

This is why your email client asks "Display images below?" on external emails. Keep image blocking on by default. Don't give them data.

What to Do Instead

Report as spam. In Gmail, click the three dots and select "Report spam." This trains Google's filters AND hurts the sender's domain reputation on Constant Contact's platform.
Delete the email. Don't open it. Don't load images. Don't click anything.
Block the sender. If it's a persistent offender, block the sending domain entirely.
Never click unsubscribe on emails you didn't subscribe to. Only use unsubscribe on legitimate newsletters you actually signed up for but no longer want.

The difference is important: if you subscribed to a company's newsletter and want to stop, unsubscribe is safe and appropriate. If you never heard of the sender and they scraped your email from somewhere, unsubscribe just confirms you're a live target.

The Pattern

Two cold outreach spam emails in one morning. Two different exploit vectors. Both abuse legitimate platforms (Google Docs, Constant Contact) to bypass email security. Both come from companies that sell technology services while demonstrating terrible judgment about how to use technology.

If you're in sales and reading this: there's a reason these tactics feel clever. They work in the short term. But they work by exploiting trust, violating platform policies, and treating potential customers as targets rather than people. That's not a foundation for any business relationship worth having.

Final Thoughts

To every founder, CTO, and business owner getting hit with this: you're not alone, and it's not your fault. These tactics specifically exploit the trust you've placed in the tools you use every day. Block the senders, report the spam, and don't feel bad about publicly naming the companies that do this.

To sales teams and "growth hackers" considering these approaches: don't. The short-term inbox access isn't worth the long-term reputation damage. If your service is genuinely valuable, you don't need to trick people into reading about it. Earn the open. Don't steal it.

And to Ana Scott at Softaims and Jessica Bamber at MediaBloom: congratulations. You're both in the article now.

Have you been hit with Google Docs comment spam or newsletter platform cold outreach? Share your experience in the comments. And if you know someone who's been targeted, send them this article so they know how to protect themselves.