Tag
medium
advisory
Google Workspace Device Registration Burst for Single User
1 rule 3 TTPsDetects bursts of Google Workspace device registration events for a single user exceeding three distinct device registrations within one minute, indicative of AiTM phishing or stolen OAuth token replay attacks.
Google Workspace
google_workspace
device_registration
persistence
initial_access
credential_access
1r
3t
medium
advisory
Google Workspace User Sign-in from Atypical Device Type
2 rules 2 TTPsThis rule detects when a Google Workspace user authenticates from a device type that hasn't been observed for that user in the past 14 days, potentially indicating account compromise via AiTM kits or stolen OAuth refresh tokens.
Google Workspace
google_workspace
persistence
account_compromise
device_registration
2r
2t