Google Workspace MFA Enforcement Disabled
Detection of multi-factor authentication (MFA) enforcement being disabled for Google Workspace users, potentially weakening security controls and leading to account compromise.
The disabling of multi-factor authentication (MFA) enforcement in Google Workspace can severely weaken an organization's security posture. Attackers may target MFA settings to gain unauthorized access to user accounts and sensitive data. This activity, often performed by compromised administrative accounts, allows attackers to bypass an important control mechanism designed to protect user identities. Google Workspace administrators should closely monitor changes to MFA enforcement policies, as these changes can expose the organization to significant risk. The default Filebeat module polls Google's reporting API every 2 hours, but the Google documentation states there can be lag times ranging from minutes up to 3 days between an event occurrence and its visibility in the admin/audit logs. Reducing this interval can help reduce false negatives.
Attack Chain
- An attacker compromises a Google Workspace administrator account, potentially through phishing or credential stuffing.
- The attacker authenticates to the Google Workspace admin console using the compromised credentials.
- The attacker navigates to the MFA settings within the Google Workspace admin console.
- The attacker modifies the MFA enforcement policy, disabling MFA for specific users or the entire organization.
- The attacker attempts to log in to target user accounts without being prompted for a second factor.
- The attacker gains access to sensitive data and resources within Google Workspace, such as email, documents, and applications.
- The attacker may move laterally to other systems or cloud services using the compromised user accounts.
Impact
Disabling MFA enforcement exposes Google Workspace accounts to unauthorized access, potentially impacting all users within the organization. This can lead to data breaches, financial losses, and reputational damage. Depending on the compromised accounts, attackers can access and exfiltrate sensitive information, disrupt business operations, and launch further attacks against the organization and its customers.
Recommendation
- Deploy the Sigma rule
Google Workspace MFA Enforcement Disabledto your SIEM to detect when MFA enforcement is disabled. - Enable Google Workspace Fleet integration, Filebeat module, or similar data ingestion pipeline to collect the necessary logs for the Sigma rule.
- Investigate any detected instances of MFA being disabled, as this could indicate a compromised administrator account.
- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
- Implement security best practices outlined by Google.
Detection coverage 2
Google Workspace MFA Enforcement Disabled
mediumDetects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users.
Google Workspace MFA Enforcement Disabled - Event Logs
mediumDetects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users based on event logs.
Detection queries are available on the platform. Get full rules →