Threat actors have started to actively abuse Google Docs commenting feature since December 2021.
Using this method, hackers are able to send emails that appear trustworthy but contain a phishing link.
Threat actors create a Google Document, then comment it to mention the target with an @, which results into email bypassing the security measures.