{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/data-leakage/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Google Workspace"],"_cs_severities":["medium"],"_cs_tags":["data-leakage","gworkspace","email-forwarding"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis brief focuses on detecting unauthorized email forwarding to external domains within Google Workspace environments. The primary concern is the potential for data exfiltration or misuse by malicious insiders or threat actors who have compromised user accounts. The activity is logged by Google Workspace and can be monitored using the Google Workspace Admin Reports API. The event name associated with this activity is \u003ccode\u003eemail_forwarding_out_of_domain\u003c/code\u003e, which is generated when a user configures automatic email forwarding to an address outside the organization\u0026rsquo;s domain. Successful exploitation of this technique can lead to the leakage of sensitive information, intellectual property theft, or compliance violations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a Google Workspace user account, potentially through phishing, credential stuffing, or other methods.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Gmail settings for the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker configures automatic email forwarding to an external email address controlled by the attacker (e.g., a Gmail, Outlook, or ProtonMail address).\u003c/li\u003e\n\u003cli\u003eThe attacker sets up filters to forward specific types of emails, such as those containing sensitive keywords or originating from key personnel.\u003c/li\u003e\n\u003cli\u003eLegitimate emails are received by the compromised user and automatically forwarded to the external address.\u003c/li\u003e\n\u003cli\u003eThe attacker collects the forwarded emails, extracting sensitive data or using it for further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker covers their tracks by deleting audit logs or modifying forwarding rules.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of unauthorized email forwarding can lead to significant data breaches, intellectual property theft, and compliance violations. The impact can range from exposure of sensitive customer data to the loss of competitive advantage due to stolen trade secrets. Depending on the volume and nature of the data exfiltrated, organizations may face legal and regulatory penalties, as well as reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u003ccode\u003eemail_forwarding_out_of_domain\u003c/code\u003e events in Google Workspace logs (logsource: \u003ccode\u003egcp\u003c/code\u003e, service: \u003ccode\u003egoogle_workspace.login\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the email forwarding configuration.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Google Workspace accounts to reduce the risk of account compromise.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit email forwarding rules to identify and remove any unauthorized configurations.\u003c/li\u003e\n\u003cli\u003eTrain users to recognize and report phishing attempts to prevent account compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-gworkspace-email-forwarding/","summary":"Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse by malicious insiders or compromised accounts.","title":"Detection of Out-of-Domain Email Forwarding in Google Workspace","url":"https://feed.craftedsignal.io/briefs/2024-01-gworkspace-email-forwarding/"}],"language":"en","title":"CraftedSignal Threat Feed — Data-Leakage","version":"https://jsonfeed.org/version/1.1"}