Skip to content
Threat Feed

Tag

Google-Workspace

4 briefs RSS
medium advisory

Google Workspace Custom Admin Role Created for Persistence

Adversaries may create custom administrative roles in Google Workspace to establish persistence with tailored, elevated permissions, which are then assigned to compromised or attacker-controlled accounts to bypass security controls, grant OAuth access, or modify mail routing.

Google Workspace google-workspace cloud-security persistence privilege-escalation iam
1r 2t
high advisory

Google Workspace Admin Role Assigned to a User or Group

Adversaries leverage the assignment of administrative roles within Google Workspace to an existing or new user/group, establishing persistence and escalating privileges to gain broad control over the tenant, including bypassing single sign-on.

Google Workspace cloud-security google-workspace persistence privilege-escalation account-manipulation saas-security
2r 2t
medium advisory

Google Workspace Admin Role Deletion

Adversaries with elevated privileges within Google Workspace may delete custom administrative roles to impede security operations, remove delegated administrator access, or obfuscate their activities during an active incident, leading to disrupted delegated administration, loss of security team access, or hindrance of incident response efforts.

Google Workspace cloud google-workspace identity-and-access-audit impact defense-evasion admin-role-deletion
2r 2t
high advisory

Google Workspace Device Registration After OAuth from Suspicious ASN

Detects a sequence of events in Google Workspace where OAuth authorization from a suspicious ASN is immediately followed by device registration, potentially indicating attacker-controlled device enrollment after user authorization of a sensitive client, possibly related to Tycoon2FA.

Google Workspace cloud google-workspace persistence initial-access tycoon2fa
2r 2t