{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/google-workspace/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Windows","Microsoft 365","Google Workspace"],"_cs_severities":["high"],"_cs_tags":["clickfix","malware","social-engineering","rat","infostealer","castleloader","netsupport"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe BackgroundFix campaign is a social engineering scheme using fake \u0026ldquo;remove your photo background\u0026rdquo; services to deliver malware. Victims are lured to malicious sites mimicking legitimate image editing tools. The sites feature fake upload interfaces, progress bars, and download buttons to appear authentic. This campaign delivers a multi-stage payload, starting with CastleLoader. CastleLoader then drops NetSupport RAT, enabling remote access for the attackers, and CastleStealer, a custom .NET stealer designed to exfiltrate browser credentials, wallet extension data, and Telegram session files. This campaign appears to be active, with multiple domains sharing the same template.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictim searches for an online background removal tool and lands on a malicious BackgroundFix site.\u003c/li\u003e\n\u003cli\u003eThe victim uploads an image to the fake website.\u003c/li\u003e\n\u003cli\u003eAfter clicking a checkbox, the site instructs the victim to copy a command to their clipboard.\u003c/li\u003e\n\u003cli\u003eThe copied command executes \u003ccode\u003efinger.exe\u003c/code\u003e to query \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003efinger.exe\u003c/code\u003e retrieves a batch script from the C2 server.\u003c/li\u003e\n\u003cli\u003eThe batch script executes commands to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eCastleLoader is deployed, subsequently dropping NetSupport RAT and CastleStealer.\u003c/li\u003e\n\u003cli\u003eNetSupport RAT grants the attacker remote access, while CastleStealer exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks result in the installation of NetSupport RAT, granting attackers remote control over the compromised system. Additionally, CastleStealer exfiltrates sensitive information such as browser credentials, wallet extension data, and Telegram session files. This stolen data can be used for further malicious activities, including financial fraud, identity theft, and unauthorized access to sensitive accounts. The active nature of the campaign and the use of multiple domains suggest a broad targeting scope.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003efinger.exe\u003c/code\u003e with command-line arguments pointing to external domains (IOC: \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the execution of \u003ccode\u003efinger.exe\u003c/code\u003e to identify potential initial access attempts.\u003c/li\u003e\n\u003cli\u003eBlock the C2 domain \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e at the DNS resolver to prevent initial payload delivery.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for NetSupport RAT C2 communications on port 688 to detect compromised systems (IOCs: \u003ccode\u003eporonto[.]com:688\u003c/code\u003e, \u003ccode\u003egiovettiadv[.]com:688\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T13:00:00Z","date_published":"2026-04-30T13:00:00Z","id":"/briefs/2026-04-clickfix-backgroundfix/","summary":"The 'BackgroundFix' ClickFix campaign uses social engineering to trick victims into downloading malware disguised as a free image-editing tool, leading to the deployment of CastleLoader, NetSupport RAT for remote access, and CastleStealer for credential theft.","title":"ClickFix 'BackgroundFix' Campaign Delivers CastleLoader, NetSupport RAT, and CastleStealer","url":"https://feed.craftedsignal.io/briefs/2026-04-clickfix-backgroundfix/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Google Workspace"],"_cs_severities":["medium"],"_cs_tags":["googleworkspace","intrusion","initial-access","persistence","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis alert focuses on identifying potentially malicious login attempts within Google Workspace environments. The detection is based on Google\u0026rsquo;s own flagging of a login as a potential \u0026ldquo;gov_attack_warning,\u0026rdquo; suggesting that Google\u0026rsquo;s threat intelligence attributes the activity to a government-backed actor. While specific targeting information is unavailable, this alert highlights a critical area for investigation within organizations utilizing Google Workspace, especially those handling sensitive data or operating in sectors of interest to nation-state actors. This detection provides an early warning of potential compromise or data exfiltration attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker attempts to log into a Google Workspace account using compromised or brute-forced credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLogin Attempt:\u003c/strong\u003e The login attempt triggers a \u0026ldquo;gov_attack_warning\u0026rdquo; within Google Workspace, indicating a potential government-backed threat actor.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Potential):\u003c/strong\u003e If the compromised account has elevated privileges, the attacker may attempt to escalate privileges within the Google Workspace environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion (Potential):\u003c/strong\u003e The attacker may attempt to disable security features or modify audit logs to evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Potential):\u003c/strong\u003e The attacker may establish persistent access through methods such as creating rogue apps or modifying account settings.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e The attacker gains access to sensitive data stored within Google Workspace, such as documents, emails, and files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration (Potential):\u003c/strong\u003e The attacker exfiltrates the stolen data to an external location.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The organization suffers a data breach, reputational damage, and potential financial losses.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to the compromise of sensitive data within the Google Workspace environment, including confidential documents, emails, and other business-critical information. The potential consequences range from reputational damage and legal liabilities to financial losses and disruption of business operations. The number of affected users and the severity of the impact will depend on the scope of the attacker\u0026rsquo;s access and the sensitivity of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u0026ldquo;gov_attack_warning\u0026rdquo; events in Google Workspace logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts promptly, focusing on the affected user account and associated activity.\u003c/li\u003e\n\u003cli\u003eReview the Google Workspace audit logs for any suspicious activity leading up to the \u0026ldquo;gov_attack_warning\u0026rdquo; event.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Google Workspace accounts, especially those with elevated privileges.\u003c/li\u003e\n\u003cli\u003eMonitor Google Workspace activity logs for suspicious patterns, such as unusual login locations, failed login attempts, and changes to account settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T00:48:14Z","date_published":"2026-04-28T00:48:14Z","id":"/briefs/2024-01-23-gworkspace-govattack/","summary":"A Google Workspace login attempt flagged as a potential attack by a government-backed threat actor, indicating potential privilege escalation, defense evasion, persistence, initial access, or impact.","title":"Google Workspace Login Attempt with Government Attack Warning","url":"https://feed.craftedsignal.io/briefs/2024-01-23-gworkspace-govattack/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Google Workspace"],"_cs_severities":["medium"],"_cs_tags":["initial-access","privilege-escalation","defense-evasion","persistence","gworkspace"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis brief focuses on detecting suspicious login activity within Google Workspace environments, as flagged by Google\u0026rsquo;s internal risk assessment mechanisms. Google Workspace logs login events and classifies them based on various risk factors, including the use of less secure applications, programmatic logins, and other anomalies. This detection capability is crucial for identifying potential compromises, unauthorized access attempts, and malicious activities within the Google Workspace ecosystem. Analyzing these flagged events allows security teams to proactively respond to threats before they escalate, preventing data breaches and maintaining the integrity of sensitive information. This alert focuses on logins classified as \u0026lsquo;suspicious_login_less_secure_app\u0026rsquo;, \u0026lsquo;suspicious_login\u0026rsquo;, and \u0026lsquo;suspicious_programmatic_login\u0026rsquo;.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access using compromised credentials or brute-force techniques targeting Google Workspace accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLogin Attempt:\u003c/strong\u003e The attacker attempts to log in to a Google Workspace account using a less secure application (e.g., an older email client without modern authentication) or via programmatic login.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuspicious Activity Detection:\u003c/strong\u003e Google\u0026rsquo;s internal systems analyze the login attempt and flag it as suspicious based on various risk factors, such as unusual location, time of day, or login method.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvent Logging:\u003c/strong\u003e Google Workspace logs the suspicious login event, including the reason for the classification (e.g., \u0026lsquo;suspicious_login_less_secure_app\u0026rsquo;).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePotential Privilege Escalation:\u003c/strong\u003e Upon successful login, the attacker may attempt to escalate privileges within the Google Workspace environment to gain broader access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker might use techniques to evade detection, such as disabling security features or modifying audit logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence by creating new accounts, modifying existing ones, or installing malicious apps.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Malicious Activity:\u003c/strong\u003e The attacker uses the compromised account to exfiltrate sensitive data or perform other malicious activities, such as sending phishing emails.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data stored within Google Workspace, including emails, documents, and other files. This can result in data breaches, financial loss, and reputational damage. The number of affected users depends on the scope of the compromised account and the attacker\u0026rsquo;s ability to escalate privileges. Targeted sectors are broad, affecting any organization relying on Google Workspace for collaboration and data storage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious login activity classified by Google Workspace (logsource: \u003ccode\u003egcp\u003c/code\u003e, service: \u003ccode\u003egoogle_workspace.login\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the login attempt and take appropriate action, such as resetting passwords or disabling compromised accounts.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all Google Workspace accounts to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eDisable or restrict the use of less secure apps within Google Workspace to reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor Google Workspace audit logs for other suspicious activities, such as unusual file access or data exfiltration attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T10:00:00Z","date_published":"2024-01-26T10:00:00Z","id":"/briefs/2024-01-26-gworkspace-suspicious-login/","summary":"Detect Google Workspace login activity that Google has classified as suspicious, potentially indicating initial access, privilege escalation, defense evasion, or persistence attempts.","title":"Google Workspace Suspicious Login Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-26-gworkspace-suspicious-login/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Google Workspace"],"_cs_severities":["medium"],"_cs_tags":["data-leakage","gworkspace","email-forwarding"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis brief focuses on detecting unauthorized email forwarding to external domains within Google Workspace environments. The primary concern is the potential for data exfiltration or misuse by malicious insiders or threat actors who have compromised user accounts. The activity is logged by Google Workspace and can be monitored using the Google Workspace Admin Reports API. The event name associated with this activity is \u003ccode\u003eemail_forwarding_out_of_domain\u003c/code\u003e, which is generated when a user configures automatic email forwarding to an address outside the organization\u0026rsquo;s domain. Successful exploitation of this technique can lead to the leakage of sensitive information, intellectual property theft, or compliance violations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a Google Workspace user account, potentially through phishing, credential stuffing, or other methods.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Gmail settings for the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker configures automatic email forwarding to an external email address controlled by the attacker (e.g., a Gmail, Outlook, or ProtonMail address).\u003c/li\u003e\n\u003cli\u003eThe attacker sets up filters to forward specific types of emails, such as those containing sensitive keywords or originating from key personnel.\u003c/li\u003e\n\u003cli\u003eLegitimate emails are received by the compromised user and automatically forwarded to the external address.\u003c/li\u003e\n\u003cli\u003eThe attacker collects the forwarded emails, extracting sensitive data or using it for further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker covers their tracks by deleting audit logs or modifying forwarding rules.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of unauthorized email forwarding can lead to significant data breaches, intellectual property theft, and compliance violations. The impact can range from exposure of sensitive customer data to the loss of competitive advantage due to stolen trade secrets. Depending on the volume and nature of the data exfiltrated, organizations may face legal and regulatory penalties, as well as reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u003ccode\u003eemail_forwarding_out_of_domain\u003c/code\u003e events in Google Workspace logs (logsource: \u003ccode\u003egcp\u003c/code\u003e, service: \u003ccode\u003egoogle_workspace.login\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the email forwarding configuration.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Google Workspace accounts to reduce the risk of account compromise.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit email forwarding rules to identify and remove any unauthorized configurations.\u003c/li\u003e\n\u003cli\u003eTrain users to recognize and report phishing attempts to prevent account compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-gworkspace-email-forwarding/","summary":"Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse by malicious insiders or compromised accounts.","title":"Detection of Out-of-Domain Email Forwarding in Google Workspace","url":"https://feed.craftedsignal.io/briefs/2024-01-gworkspace-email-forwarding/"}],"language":"en","title":"CraftedSignal Threat Feed — Google Workspace","version":"https://jsonfeed.org/version/1.1"}