Google Workspace 2SV Policy Disabled
An adversary may disable 2-Step Verification (2SV) in Google Workspace to weaken account security and facilitate unauthorized access.
Google Workspace administrators can enforce 2-Step Verification (2SV) to enhance user account security, requiring users to verify their identity beyond simple login credentials. This policy can be configured with various verification methods and enrollment periods. However, a malicious actor with administrative privileges may disable 2SV policies to reduce the security requirements for accessing targeted accounts. This could be a precursor to credential access or data exfiltration. The Elastic detection rule "Google Workspace 2SV Policy Disabled" was released on 2022-08-26 and updated on 2026-04-10 to detect this activity. This activity is important for defenders because it can lead to unauthorized access to sensitive data and systems.
Attack Chain
- An attacker gains unauthorized access to a Google Workspace administrator account, possibly through credential compromise or phishing.
- The attacker authenticates to the Google Workspace admin console using the compromised credentials.
- The attacker navigates to the Security settings within the admin console.
- The attacker locates the 2-Step Verification settings.
- The attacker disables the 2SV enforcement policy for specific organizational units or the entire domain. This generates a
google_workspace.loginevent withevent.action: "2sv_disable". - The attacker may then attempt to access user accounts without the 2SV requirement, potentially using previously obtained credentials.
- Upon successful login, the attacker performs malicious actions such as accessing sensitive data, modifying configurations, or establishing persistence.
- The attacker covers their tracks by deleting audit logs or creating new admin accounts with modified permissions.
Impact
Disabling 2SV weakens the overall security posture of a Google Workspace environment. If successful, attackers can gain unauthorized access to user accounts, leading to data breaches, financial losses, and reputational damage. The number of affected users depends on the scope of the 2SV policy change and the extent of the attacker's access. Organizations in any sector relying on Google Workspace for email, file storage, or other services are vulnerable.
Recommendation
- Deploy the provided Sigma rule to your SIEM to detect instances of 2SV policy being disabled and tune for your environment.
- Review Google Workspace audit logs (
filebeat-*,logs-google_workspace*) for unexpected 2SV configuration changes. - Implement the security best practices outlined by Google: https://support.google.com/a/answer/7587183
- Monitor
user.nameorsource.user.emailin the alert and filterevent.datasetforgoogle_workspace.loginand aggregate byuser.name,event.actionto identify impacted users and authentication events. - Reduce the
var.intervalin the Google Workspace Filebeat module to 10 minutes (10m) to decrease the risk of missed events.
Detection coverage 2
Google Workspace 2SV Disabled via Activity Events
mediumDetects when a Google Workspace 2SV policy is disabled via activity events.
Google Workspace 2SV Policy Disabled - Admin Console
mediumDetects when a Google Workspace 2SV policy is disabled through the admin console based on event logs.
Detection queries are available on the platform. Get full rules →