https://feed.craftedsignal.io/tags/device_registration/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 28 May 2026 14:10:07 +0000https://feed.craftedsignal.io/briefs/2026-05-google-workspace-device-registration-burst/Thu, 28 May 2026 14:10:07 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-google-workspace-device-registration-burst/Detects bursts of Google Workspace device registration events for a single user exceeding three distinct device registrations within one minute, indicative of AiTM phishing or stolen OAuth token replay attacks.This detection identifies anomalous Google Workspace device registration activity indicative of adversary-in-the-middle (AiTM) phishing or stolen OAuth token replay attacks. The rule focuses on bursts of DEVICE_REGISTER_UNREGISTER_EVENT logs where a single user registers three or more distinct device IDs within a one-minute window. While legitimate session/sync registrations can trigger this event, a high-cardinality burst is rare and suggests malicious activity, such as a phishing kit relaying user sign-ins or token-replay tooling driving multiple sessions against a stolen OAuth refresh token. This activity can lead to account compromise, data exfiltration, and unauthorized access to Google Workspace resources. The rule leverages Google Workspace device logs.

Attack Chain

1. The attacker initiates a phishing campaign targeting Google Workspace users (T1566).
2. The victim clicks a malicious link, leading to an AiTM phishing kit or a credential harvesting page (T1566.001).
3. The attacker relays the victim’s credentials to Google, successfully authenticating and bypassing multi-factor authentication (MFA) if present (T1557).
4. The attacker’s relay or stolen OAuth token replay tooling registers multiple device contexts in rapid succession, generating multiple DEVICE_REGISTER_UNREGISTER_EVENT logs with distinct google_workspace.device.id values (T1098.005).
5. The attacker leverages the newly registered devices or replayed tokens to gain persistent access to the victim’s Google Workspace account (T1078.004).
6. The attacker performs unauthorized actions, such as accessing sensitive data, modifying account settings, or sending malicious emails (T1530).

Impact

Successful exploitation can lead to account compromise, unauthorized access to sensitive data within Google Workspace, and potential business email compromise (BEC). The attacker could exfiltrate data, modify account settings, or use the compromised account to further propagate attacks within the organization. The impact is magnified if the compromised user has elevated privileges or access to critical resources.

Recommendation

• Deploy the provided Sigma rule Detect Google Workspace Device Registration Burst for Single User to detect suspicious bursts of device registrations (Log Source: Google Workspace Device Logs).
• Investigate users triggering the rule, focusing on device fingerprint consistency and preceding login events, as described in the rule’s note section.
• Cross-reference logs-google_workspace.login events for successful logins preceding the burst, examining source.geo.country_name, source.as.organization.name, and user_agent.original for anomalies.
• Revoke OAuth tokens for affected users (DELETE /admin/directory/v1/users/<email>/tokens/<clientId>) if compromise is suspected, as mentioned in the rule’s note section.

]]>mediumadvisorygoogle_workspacedevice_registrationpersistenceinitial_accesscredential_accesshttps://feed.craftedsignal.io/briefs/2026-05-google-workspace-atypical-device/Thu, 28 May 2026 14:09:50 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-google-workspace-atypical-device/This rule detects when a Google Workspace user authenticates from a device type that hasn't been observed for that user in the past 14 days, potentially indicating account compromise via AiTM kits or stolen OAuth refresh tokens.This detection rule identifies anomalous Google Workspace device registrations, specifically focusing on deviations from a user’s typical device type. It leverages Google Workspace device logs to detect when a user authenticates from a device type (e.g., WINDOWS, MAC, ANDROID, IOS, LINUX) that has not been associated with them within a 14-day historical window. The rule does not flag new physical device enrollments, as the Google Reports API generates fresh device IDs on each event. Instead, it highlights situations where an attacker, using compromised credentials obtained through AiTM kits or stolen OAuth tokens, accesses a Workspace account from a device type different from the user’s established pattern. This is a strong indicator of compromise, as these kits often relay sessions through unusual device fingerprints, such as a Windows session for a macOS user, or concurrent sessions from different OS types. Because refresh tokens persist across password resets, focus on token revocation for remediation.

Attack Chain

1. Attacker compromises a user’s Google Workspace credentials through AiTM phishing or steals an OAuth refresh token.
2. Attacker uses the stolen credentials or token to authenticate to Google Workspace.
3. Google Workspace logs a DEVICE_REGISTER_UNREGISTER_EVENT with a new google_workspace.device.id associated with the session.
4. The attacker accesses Google Workspace resources like Gmail, Drive, or Calendar.
5. The attacker may create new OAuth tokens for persistence.
6. The attacker exfiltrates sensitive data.
7. The attacker may attempt to move laterally to other cloud resources accessible via the compromised account.
8. The attacker persists by maintaining access through the stolen credentials and newly created OAuth tokens.

Impact

A successful attack can result in unauthorized access to sensitive data within Google Workspace, including emails, documents, and calendar information. Attackers can exfiltrate data, escalate privileges, and potentially move laterally to other cloud resources. The compromise can persist even after a password reset due to the nature of OAuth refresh tokens. Affected sectors depend on the victim organization but may include any industry using Google Workspace.

Recommendation

• Deploy the Sigma rule “Google Workspace User Sign-in from Atypical Device Type” to detect anomalous device registrations (rule).
• When an atypical device registration is detected, immediately suspend the user, revoke all OAuth tokens, reset the password, and clear recovery email/phone, as detailed in the rule’s “Response and remediation” section.
• Investigate logs-google_workspace.login events for the same user in the 24 hours leading up to the device registration, looking for suspicious ASN, country, and user agent patterns, as described in the rule’s “Possible investigation steps” section.
• Monitor logs-google_workspace.token events for event.action: "authorize" events around the device registration time to identify newly minted OAuth tokens (rule’s “Possible investigation steps”).

]]>mediumadvisorygoogle_workspacepersistenceaccount_compromisedevice_registration