Attack Chain

1. An attacker gains unauthorized access to a Google Workspace user account, potentially through phishing, credential stuffing, or other methods.
2. The attacker navigates to the Gmail settings for the compromised account.
3. The attacker configures automatic email forwarding to an external email address controlled by the attacker (e.g., a Gmail, Outlook, or ProtonMail address).
4. The attacker sets up filters to forward specific types of emails, such as those containing sensitive keywords or originating from key personnel.
5. Legitimate emails are received by the compromised user and automatically forwarded to the external address.
6. The attacker collects the forwarded emails, extracting sensitive data or using it for further malicious activities.
7. The attacker covers their tracks by deleting audit logs or modifying forwarding rules.

Impact

Successful exploitation of unauthorized email forwarding can lead to significant data breaches, intellectual property theft, and compliance violations. The impact can range from exposure of sensitive customer data to the loss of competitive advantage due to stolen trade secrets. Depending on the volume and nature of the data exfiltrated, organizations may face legal and regulatory penalties, as well as reputational damage.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect email_forwarding_out_of_domain events in Google Workspace logs (logsource: gcp, service: google_workspace.login).
• Investigate any alerts generated by the Sigma rule to determine the legitimacy of the email forwarding configuration.
• Implement multi-factor authentication (MFA) for all Google Workspace accounts to reduce the risk of account compromise.
• Regularly review and audit email forwarding rules to identify and remove any unauthorized configurations.
• Train users to recognize and report phishing attempts to prevent account compromise.