Google Workspace Suspended User Account Renewed

This detection identifies when a previously suspended user’s account is renewed in Google Workspace. Attackers may reactivate suspended accounts to regain unauthorized access, circumventing security measures. Google Workspace administrators use suspended user accounts to remove access while transferring documents and roles before complete account deletion. This rule focuses on the UNSUSPEND_USER event within Google Workspace admin logs, aiding analysts in identifying potential misuse of account reactivation and maintaining secure access controls. The rule is configured to run every 10 minutes with a lookback time of 130 minutes to account for Google Workspace event lag times which can range from minutes up to 3 days.

Attack Chain

1. An attacker compromises a Google Workspace administrator account or gains unauthorized access.
2. The attacker identifies a suspended user account within the Google Workspace environment.
3. Using the compromised administrator account, the attacker executes the UNSUSPEND_USER action.
4. The Google Workspace account is reactivated, granting the attacker access to associated services.
5. The attacker leverages the renewed account to access sensitive data and resources.
6. The attacker may then escalate privileges, move laterally, or establish persistence.
7. The attacker exfiltrates data or performs other malicious activities within the Google Workspace environment.

Impact

A successful attack could allow unauthorized access to sensitive data within Google Workspace, potentially leading to data breaches, financial losses, or reputational damage. Even though the severity is low, it can be part of a broader attack that leads to sensitive information getting into the wrong hands.

Recommendation

• Deploy the Sigma rule Google Workspace Suspended User Account Renewed to your SIEM and tune for your environment.
• Review the event logs for the UNSUSPEND_USER action to identify the user account that was renewed and gather details about the timing and context of the action.
• Investigate the identity of the administrator or service account that performed the UNSUSPEND_USER action to determine if the action was authorized.
• Implement additional monitoring on affected accounts to detect any further suspicious activity.