{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/device_registration/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Google Workspace"],"_cs_severities":["medium"],"_cs_tags":["google_workspace","device_registration","persistence","initial_access","credential_access"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis detection identifies anomalous Google Workspace device registration activity indicative of adversary-in-the-middle (AiTM) phishing or stolen OAuth token replay attacks. The rule focuses on bursts of \u003ccode\u003eDEVICE_REGISTER_UNREGISTER_EVENT\u003c/code\u003e logs where a single user registers three or more distinct device IDs within a one-minute window. While legitimate session/sync registrations can trigger this event, a high-cardinality burst is rare and suggests malicious activity, such as a phishing kit relaying user sign-ins or token-replay tooling driving multiple sessions against a stolen OAuth refresh token. This activity can lead to account compromise, data exfiltration, and unauthorized access to Google Workspace resources. The rule leverages Google Workspace device logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker initiates a phishing campaign targeting Google Workspace users (T1566).\u003c/li\u003e\n\u003cli\u003eThe victim clicks a malicious link, leading to an AiTM phishing kit or a credential harvesting page (T1566.001).\u003c/li\u003e\n\u003cli\u003eThe attacker relays the victim\u0026rsquo;s credentials to Google, successfully authenticating and bypassing multi-factor authentication (MFA) if present (T1557).\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s relay or stolen OAuth token replay tooling registers multiple device contexts in rapid succession, generating multiple \u003ccode\u003eDEVICE_REGISTER_UNREGISTER_EVENT\u003c/code\u003e logs with distinct \u003ccode\u003egoogle_workspace.device.id\u003c/code\u003e values (T1098.005).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly registered devices or replayed tokens to gain persistent access to the victim\u0026rsquo;s Google Workspace account (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions, such as accessing sensitive data, modifying account settings, or sending malicious emails (T1530).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to account compromise, unauthorized access to sensitive data within Google Workspace, and potential business email compromise (BEC). The attacker could exfiltrate data, modify account settings, or use the compromised account to further propagate attacks within the organization. The impact is magnified if the compromised user has elevated privileges or access to critical resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Google Workspace Device Registration Burst for Single User\u003c/code\u003e to detect suspicious bursts of device registrations (Log Source: Google Workspace Device Logs).\u003c/li\u003e\n\u003cli\u003eInvestigate users triggering the rule, focusing on device fingerprint consistency and preceding login events, as described in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eCross-reference \u003ccode\u003elogs-google_workspace.login\u003c/code\u003e events for successful logins preceding the burst, examining \u003ccode\u003esource.geo.country_name\u003c/code\u003e, \u003ccode\u003esource.as.organization.name\u003c/code\u003e, and \u003ccode\u003euser_agent.original\u003c/code\u003e for anomalies.\u003c/li\u003e\n\u003cli\u003eRevoke OAuth tokens for affected users (\u003ccode\u003eDELETE /admin/directory/v1/users/\u0026lt;email\u0026gt;/tokens/\u0026lt;clientId\u0026gt;\u003c/code\u003e) if compromise is suspected, as mentioned in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T14:10:07Z","date_published":"2026-05-28T14:10:07Z","id":"https://feed.craftedsignal.io/briefs/2026-05-google-workspace-device-registration-burst/","summary":"Detects bursts of Google Workspace device registration events for a single user exceeding three distinct device registrations within one minute, indicative of AiTM phishing or stolen OAuth token replay attacks.","title":"Google Workspace Device Registration Burst for Single User","url":"https://feed.craftedsignal.io/briefs/2026-05-google-workspace-device-registration-burst/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Google Workspace"],"_cs_severities":["medium"],"_cs_tags":["google_workspace","persistence","account_compromise","device_registration"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis detection rule identifies anomalous Google Workspace device registrations, specifically focusing on deviations from a user\u0026rsquo;s typical device type. It leverages Google Workspace device logs to detect when a user authenticates from a device type (e.g., WINDOWS, MAC, ANDROID, IOS, LINUX) that has not been associated with them within a 14-day historical window. The rule does not flag new physical device enrollments, as the Google Reports API generates fresh device IDs on each event. Instead, it highlights situations where an attacker, using compromised credentials obtained through AiTM kits or stolen OAuth tokens, accesses a Workspace account from a device type different from the user\u0026rsquo;s established pattern. This is a strong indicator of compromise, as these kits often relay sessions through unusual device fingerprints, such as a Windows session for a macOS user, or concurrent sessions from different OS types. Because refresh tokens persist across password resets, focus on token revocation for remediation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a user\u0026rsquo;s Google Workspace credentials through AiTM phishing or steals an OAuth refresh token.\u003c/li\u003e\n\u003cli\u003eAttacker uses the stolen credentials or token to authenticate to Google Workspace.\u003c/li\u003e\n\u003cli\u003eGoogle Workspace logs a \u003ccode\u003eDEVICE_REGISTER_UNREGISTER_EVENT\u003c/code\u003e with a new \u003ccode\u003egoogle_workspace.device.id\u003c/code\u003e associated with the session.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses Google Workspace resources like Gmail, Drive, or Calendar.\u003c/li\u003e\n\u003cli\u003eThe attacker may create new OAuth tokens for persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to move laterally to other cloud resources accessible via the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker persists by maintaining access through the stolen credentials and newly created OAuth tokens.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can result in unauthorized access to sensitive data within Google Workspace, including emails, documents, and calendar information. Attackers can exfiltrate data, escalate privileges, and potentially move laterally to other cloud resources. The compromise can persist even after a password reset due to the nature of OAuth refresh tokens. Affected sectors depend on the victim organization but may include any industry using Google Workspace.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Google Workspace User Sign-in from Atypical Device Type\u0026rdquo; to detect anomalous device registrations (rule).\u003c/li\u003e\n\u003cli\u003eWhen an atypical device registration is detected, immediately suspend the user, revoke all OAuth tokens, reset the password, and clear recovery email/phone, as detailed in the rule\u0026rsquo;s \u0026ldquo;Response and remediation\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eInvestigate \u003ccode\u003elogs-google_workspace.login\u003c/code\u003e events for the same user in the 24 hours leading up to the device registration, looking for suspicious ASN, country, and user agent patterns, as described in the rule\u0026rsquo;s \u0026ldquo;Possible investigation steps\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003elogs-google_workspace.token\u003c/code\u003e events for \u003ccode\u003eevent.action: \u0026quot;authorize\u0026quot;\u003c/code\u003e events around the device registration time to identify newly minted OAuth tokens (rule\u0026rsquo;s \u0026ldquo;Possible investigation steps\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T14:09:50Z","date_published":"2026-05-28T14:09:50Z","id":"https://feed.craftedsignal.io/briefs/2026-05-google-workspace-atypical-device/","summary":"This rule detects when a Google Workspace user authenticates from a device type that hasn't been observed for that user in the past 14 days, potentially indicating account compromise via AiTM kits or stolen OAuth refresh tokens.","title":"Google Workspace User Sign-in from Atypical Device Type","url":"https://feed.craftedsignal.io/briefs/2026-05-google-workspace-atypical-device/"}],"language":"en","title":"CraftedSignal Threat Feed — Device_registration","version":"https://jsonfeed.org/version/1.1"}