Skip to content
Threat Feed
medium advisory

Google Workspace Application Removed from Blocklist

An adversary with Google Workspace administrative privileges may remove an application from the explicit blocklist to enable its distribution and usage, potentially indicating unauthorized activity and defense evasion.

Google Workspace administrators use blocklists to prevent users from installing or using potentially malicious applications from the Google Workspace Marketplace. An attacker who has gained administrative privileges within a Google Workspace environment can remove applications from this blocklist, effectively allowing the applications to be installed and used by unsuspecting users. This activity can be indicative of an attacker attempting to distribute malware or gain unauthorized access to sensitive data. The observed activity revolves around the modification of application settings within Google Workspace, specifically related to the "allowed" status of applications. The impact of this activity can range from data breaches to compromised user accounts. Defenders need to monitor for unauthorized changes to application blocklists and investigate any unexpected modifications.

Attack Chain

  1. Attacker gains unauthorized administrative privileges within the Google Workspace environment.
  2. Attacker navigates to the Google Workspace admin console.
  3. Attacker accesses the application settings for Google Workspace Marketplace.
  4. Attacker identifies a previously blocked application within the blocklist.
  5. Attacker modifies the application settings, changing the "allowed" status from "false" to "true."
  6. The change is saved, and the application is effectively removed from the blocklist.
  7. Users within the Google Workspace environment are now able to install and use the previously blocked application.
  8. The malicious application is distributed and used to perform malicious actions like exfiltration or lateral movement.

Impact

The removal of an application from the Google Workspace blocklist can have significant consequences. Users may install and use malicious applications, leading to data breaches, compromised accounts, and the introduction of malware into the environment. The specific impact depends on the permissions and capabilities of the malicious application. Affected sectors are broad, as Google Workspace is used across various industries. Successful attacks can lead to financial loss, reputational damage, and legal ramifications.

Recommendation

  • Implement the Sigma rule "Google Workspace Application Blocklist Removed" to detect when an application is removed from the blocklist by monitoring Google Workspace admin logs (logsource: google_workspace.admin).
  • Investigate any alerts generated by the Sigma rule, focusing on identifying the user account that made the change and the application that was unblocked.
  • Regularly review Google Workspace administrative accounts to ensure the principle of least privilege is enforced.
  • Monitor the Google Workspace admin logs for unusual account activity, such as changes to roles or permissions.
  • Reference Google's security best practices and implement them in your Google Workspace environment to increase overall security.
  • Tune the "Google Workspace Application Blocklist Removed" Sigma rule for your environment to filter out expected behavior by legitimate administrators.

Detection coverage 2

Google Workspace Application Blocklist Removed

medium

Detects when an application is removed from the blocklist in Google Workspace, which could indicate malicious activity.

sigma tactics: defense_evasion techniques: T1562.001 sources: iam, google_workspace

Google Workspace Admin Role Assigned

low

Detects the assignment of an administrative role in Google Workspace, which could precede malicious activity.

sigma tactics: privilege_escalation sources: iam, google_workspace

Detection queries are available on the platform. Get full rules →