Skip to content
Threat Feed
medium advisory

External User Added to Google Workspace Group

Detection of an external Google Workspace user account being added to an existing group, potentially indicating an adversary attempting to intercept shared files or emails by adding accounts where the domain name of the target doesn't match the Google Workspace domain.

This detection identifies instances where an external user account is added to a Google Workspace group. Attackers may leverage this technique to intercept shared files or emails directed to the group. The rule focuses on identifying user accounts where the domain name of the target does not match the Google Workspace domain. The attack often starts with phishing or exploiting container-bound scripts to add external Google accounts to an organization's groups, sometimes granting editorial privileges. This allows the attacker to receive any information shared with the group, leading to potential data leaks or weaponization of documents for further intrusion. Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.

Attack Chain

  1. The attacker performs reconnaissance to identify a target Google Workspace organization and its group structure.
  2. A phishing email is crafted to steal credentials of a user with group management privileges or to directly add an external user to a group via a malicious link.
  3. Alternatively, the attacker compromises a container-bound script with sufficient privileges to modify group memberships.
  4. The compromised user or script adds an external user account (e.g., a Gmail account controlled by the attacker) to a target Google Workspace group.
  5. The external user account receives emails and shared files intended for the group, potentially containing sensitive information.
  6. The attacker monitors the intercepted communications for valuable data, such as credentials, financial information, or proprietary documents.
  7. The stolen information is exfiltrated to an external location.
  8. The attacker uses the stolen information to further compromise the organization or its partners.

Impact

Compromising Google Workspace groups can lead to significant data breaches, with potentially thousands of internal documents and communications exposed to unauthorized external actors. Successful attacks can result in the loss of confidential business data, intellectual property theft, and regulatory compliance violations. The targeted groups could range from small teams to company-wide distribution lists, affecting customer data, financial records, and strategic plans. Depending on the group's function, the impact could range from minor data leakage to severe reputational and financial damage, depending on the sensitivity and volume of data accessed.

Recommendation

  • Deploy the Sigma rule "External User Added to Google Workspace Group" to your SIEM to detect suspicious group membership changes.
  • Investigate alerts generated by the Sigma rule by examining the user.name or user.email and the group.name fields to identify involved accounts and groups.
  • Review Google Workspace audit logs for event.action: "ADD_GROUP_MEMBER" to identify other group modifications and potential external user additions.
  • Implement multi-factor authentication (MFA) for all Google Workspace accounts, particularly those with administrative privileges, to mitigate credential theft.
  • Enforce strict access control policies and regularly review group memberships to ensure only authorized users have access to sensitive data.
  • Configure alerts for unusual activity, such as external account additions to internal groups, to reduce the mean time to detect (MTTD).

Detection coverage 2

External User Added to Google Workspace Group

medium

Detects an external user being added to a Google Workspace group.

sigma tactics: initial_access techniques: T1078.004 sources: webserver, linux

Google Workspace ADD_GROUP_MEMBER Event

low

Detects the ADD_GROUP_MEMBER event in Google Workspace logs, focusing on the addition of potentially unauthorized external accounts to groups.

sigma tactics: initial_access techniques: T1078 sources: webserver, linux

Detection queries are available on the platform. Get full rules →