Skip to content
Threat Feed
high advisory

GCP Multi-Factor Authentication Disabled

Detection of disabled multi-factor authentication (MFA) for a Google Cloud Platform (GCP) user, potentially leading to unauthorized access and data exfiltration.

This brief focuses on detecting the disabling of multi-factor authentication (MFA) within a Google Cloud Platform (GCP) environment. The activity is detected by monitoring Google Workspace Admin logs for the UNENROLL_USER_FROM_STRONG_AUTH command. An attacker who has compromised an account may disable MFA to maintain persistent access without triggering typical account compromise alerts. This allows them to bypass an important security control. This activity has been observed in GCP environments and is critical for defenders to monitor. Successful exploitation can lead to unauthorized access, data exfiltration, or further malicious activity within the organization.

Attack Chain

  1. An attacker gains initial access to a valid user account through credential compromise (e.g., phishing, password spraying).
  2. The attacker authenticates to the Google Workspace Admin console using the compromised account.
  3. The attacker navigates to the user management section within the Google Workspace Admin console.
  4. The attacker locates the target user account for which they intend to disable MFA.
  5. The attacker initiates the process to unenroll the target user from strong authentication, triggering the UNENROLL_USER_FROM_STRONG_AUTH command.
  6. The system processes the request, disabling MFA for the target user account.
  7. The attacker now maintains persistent access to the compromised account without MFA.
  8. The attacker leverages the compromised account to perform unauthorized actions, such as accessing sensitive data, modifying configurations, or launching further attacks.

Impact

Successful disabling of MFA can lead to significant security breaches. A single compromised account can provide attackers with persistent access to sensitive data and systems. This can result in data exfiltration, financial losses, reputational damage, and disruption of business operations. The number of affected users depends on the scope of the initial compromise.

Recommendation

  • Deploy the Sigma rule Detect GCP MFA Disable via GWS Admin Logs to your SIEM to identify instances of MFA being disabled.
  • Investigate any alerts generated by the Sigma rule, focusing on the user and actor.email fields to determine the source and target of the action.
  • Implement alerting on other critical admin actions in Google Workspace, beyond just MFA disabling, to give better context around potential account compromise (reference: Google Workspace Admin logs).
  • Review and enforce strong MFA policies across your organization to minimize the attack surface (reference: https://support.google.com/cloudidentity/answer/2537800?hl=en).

Detection coverage 2

Detect GCP MFA Disable via GWS Admin Logs

high

Detects disabling of multi-factor authentication (MFA) for a GCP user via Google Workspace Admin logs.

sigma tactics: defense_evasion, persistence techniques: T1556.006, T1586.003 sources: webserver, linux

GCP MFA Disable - Suspicious Actor

medium

Detects disabling of MFA by an actor that is not typically seen performing administrative tasks.

sigma tactics: defense_evasion, persistence techniques: T1556.006, T1586.003 sources: webserver, linux

Detection queries are available on the platform. Get full rules →