Google Workspace Drive Encryption Key Accessed by Anonymous User
An external (anonymous) user has viewed, copied, or downloaded an encryption key file from a Google Workspace drive, potentially leading to unauthorized access to sensitive data or authentication on behalf of users via rogue access links.
This detection identifies instances where anonymous users access encryption keys stored within Google Workspace drives. This activity is a significant security concern, as unauthorized access to encryption keys can enable threat actors to decrypt sensitive data, impersonate legitimate users, or gain elevated privileges within the organization. The risk is amplified when encryption keys are inadvertently shared via publicly accessible links without proper expiration policies. The original Elastic detection rule was published in March 2023 and updated in April 2026. This highlights the continued relevance of monitoring access controls and data sharing practices within cloud-based collaboration platforms.
Attack Chain
- An authorized user unintentionally or unknowingly creates a publicly accessible link ("people_with_link") for an encryption key file stored in Google Workspace Drive.
- The shared link does not have expiration settings enabled, leaving the key accessible indefinitely.
- An attacker discovers or obtains the publicly shared link to the encryption key file through reconnaissance or accidental exposure.
- The attacker, operating as an anonymous user (source.user.email == ""), accesses the Google Workspace Drive link.
- The attacker performs actions such as viewing, copying, or downloading the encryption key file.
- With the encryption key obtained, the attacker decrypts sensitive data protected by the key.
- The attacker uses the compromised key to authenticate as a legitimate user or service.
- The attacker gains unauthorized access to protected systems and data, potentially leading to data exfiltration or further lateral movement.
Impact
Compromise of encryption keys can lead to severe consequences, including unauthorized data decryption, privilege escalation, and impersonation of legitimate users. This can result in data breaches, financial loss, reputational damage, and legal liabilities. Organizations storing sensitive data in Google Workspace are at risk if encryption keys are not properly secured and monitored. The impact is especially severe if the compromised key protects critical infrastructure or highly sensitive personal information.
Recommendation
- Deploy the Sigma rule
Google Workspace Drive Encryption Key Accessed by Anonymous Userto your SIEM to detect unauthorized access to encryption keys. - Review Google Workspace sharing settings to ensure that sensitive files, particularly those with extensions listed in the query (e.g.,
.key,.pem,.gpg), are not shared with "people_with_link" without proper access controls. - Implement and enforce expiration policies for shared links in Google Workspace to minimize the window of opportunity for unauthorized access.
- Enable logging for Google Workspace Drive events using the Google Workspace Filebeat module to provide the necessary data for detecting this threat.
- Investigate any alerts generated by the Sigma rule by reviewing the file activity logs to identify the specific file(s) accessed by the anonymous user.
- Revoke and rotate any encryption keys that have been accessed or potentially compromised to prevent unauthorized use.
Detection coverage 2
Google Workspace Drive Encryption Key Accessed by Anonymous User
highDetects when an anonymous user accesses encryption key files in Google Workspace Drive.
Google Workspace Drive Public Link File Access
mediumDetects access to files with 'people_with_link' visibility in Google Workspace Drive, indicating a publicly shared file.
Detection queries are available on the platform. Get full rules →