Google Workspace Suspended User Account Renewed
Detection of a renewed, previously suspended user account in Google Workspace, potentially indicating unauthorized access or persistence by an adversary.
This alert identifies instances where a user account, previously suspended within a Google Workspace environment, is reactivated. While legitimate administrative actions can trigger this event, adversaries may exploit the account renewal process to regain unauthorized access to the Google Workspace organization. This technique allows them to bypass typical access controls and maintain a valid account for malicious activities. The rule focuses on detecting the UNSUSPEND_USER event within Google Workspace admin/audit logs. Google Workspace event logs may have lag times ranging from minutes up to 3 days, defenders should adjust polling intervals to mitigate false negatives.
Attack Chain
- An attacker gains initial access to a privileged Google Workspace account, potentially through compromised credentials or social engineering.
- The attacker identifies a suspended user account within the Google Workspace environment.
- The attacker renews the suspended user account using the compromised privileged account, triggering the
UNSUSPEND_USERevent. - The renewed account is now active within the Google Workspace environment, allowing the attacker to bypass initial access controls.
- The attacker leverages the renewed user account to access sensitive data and resources within Google Workspace.
- The attacker may attempt to escalate privileges further from the renewed account.
- The attacker maintains persistence by using the renewed account as a long-term backdoor into the organization's Google Workspace environment.
Impact
A successful account renewal by an attacker can lead to unauthorized access to sensitive data, business disruption, and potential data exfiltration within the Google Workspace environment. The impact can range from minor data breaches to significant operational compromises depending on the permissions and data access of the renewed user account. It's a low severity but important signal that may indicate malicious activity.
Recommendation
- Deploy the Sigma rule provided in this brief to your SIEM and tune it for your specific Google Workspace environment.
- Review the event logs associated with the
UNSUSPEND_USERaction, focusing on the administrator or service account that performed the action, as mentioned in the investigation guide. - Implement additional monitoring and alerting on reactivated user accounts to detect any suspicious activity following the account's renewal.
- Adjust the Google Workspace Filebeat module polling interval to a lower value (e.g., 10 minutes) to reduce the risk of false negatives due to event lag times, as described in the Setup section.
- Review and update security policies related to account suspension and reactivation to prevent similar incidents in the future.
Detection coverage 2
Google Workspace Suspended User Account Renewed
lowDetects when a previously suspended user's account is renewed in Google Workspace.
Google Workspace Suspicious Account Manipulation - UNSUSPEND_USER
mediumDetects suspicious account manipulation activity in Google Workspace, specifically the UNSUSPEND_USER event, potentially indicating unauthorized account reactivation.
Detection queries are available on the platform. Get full rules →