{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/google-workspace/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Google Workspace"],"_cs_severities":["high"],"_cs_tags":["cloud","google-workspace","persistence","initial-access","tycoon2fa"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis detection identifies suspicious Google Workspace device registrations potentially linked to compromised accounts or malicious device enrollment. The rule focuses on detecting a specific sequence of events: a user authorizing a Google OAuth client from a high-risk Autonomous System Number (ASN), followed closely by a device registration event with the device\u0026rsquo;s account state set to \u0026ldquo;REGISTERED\u0026rdquo;. The goal is to identify instances where attackers might be using compromised credentials or residential proxies to enroll devices into an organization\u0026rsquo;s Google Workspace environment after gaining unauthorized OAuth access. This activity has been linked to threat actors such as Tycoon2FA and is further detailed in Elastic\u0026rsquo;s Google Workspace attack surface research.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to user credentials through phishing (T1566.002) or other methods.\u003c/li\u003e\n\u003cli\u003eAttacker uses compromised credentials to initiate OAuth authorization for a sensitive Google OAuth client (client ID: 77185425430.apps.googleusercontent.com) from a high-risk ASN (e.g., 9009, 45102, 215540, 29802, 62240, 204957, 395092).\u003c/li\u003e\n\u003cli\u003eUser unknowingly grants OAuth permissions to the malicious application.\u003c/li\u003e\n\u003cli\u003eImmediately following OAuth authorization, the attacker triggers a device registration event within Google Workspace.\u003c/li\u003e\n\u003cli\u003eThe device registration event reports the account state as \u0026ldquo;REGISTERED,\u0026rdquo; indicating successful device enrollment.\u003c/li\u003e\n\u003cli\u003eThe attacker can then potentially access sensitive data or perform actions as the user from the newly registered device.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the registered device for persistence and lateral movement within the Google Workspace environment (T1098.005).\u003c/li\u003e\n\u003cli\u003eThe final objective can include data exfiltration, business email compromise, or further compromise of other accounts and systems within the organization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive Google Workspace data, including emails, documents, and applications. This can result in data breaches, financial loss, and reputational damage. The attacker can potentially maintain persistence within the Google Workspace environment, allowing them to continue accessing and manipulating data over an extended period. This rule aims to detect early stages of this attack, potentially preventing a full compromise of the victim\u0026rsquo;s Google Workspace account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious Google Workspace device registrations following OAuth authorization from high-risk ASNs. Tune the rule for your environment based on known VPNs and trusted ASNs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing \u003ccode\u003euser.name\u003c/code\u003e, \u003ccode\u003euser.email\u003c/code\u003e, \u003ccode\u003esource.ip\u003c/code\u003e, \u003ccode\u003esource.as.organization.name\u003c/code\u003e, and \u003ccode\u003egoogle_workspace.token.client.id\u003c/code\u003e from the logs.\u003c/li\u003e\n\u003cli\u003eReview and restrict OAuth app access policies within Google Workspace to prevent unauthorized applications from gaining access to sensitive data.\u003c/li\u003e\n\u003cli\u003eMonitor Google Workspace \u003ccode\u003egoogle_workspace.token\u003c/code\u003e and \u003ccode\u003egoogle_workspace.device\u003c/code\u003e audit streams as mentioned in the setup section to ingest relevant events.\u003c/li\u003e\n\u003cli\u003eConsider increasing the \u003ccode\u003efrom\u003c/code\u003e field to account for Google Workspace event lag, as suggested in the documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T10:29:07Z","date_published":"2026-05-18T10:29:07Z","id":"https://feed.craftedsignal.io/briefs/2026-05-google-workspace-device-registration/","summary":"Detects a sequence of events in Google Workspace where OAuth authorization from a suspicious ASN is immediately followed by device registration, potentially indicating attacker-controlled device enrollment after user authorization of a sensitive client, possibly related to Tycoon2FA.","title":"Google Workspace Device Registration After OAuth from Suspicious ASN","url":"https://feed.craftedsignal.io/briefs/2026-05-google-workspace-device-registration/"}],"language":"en","title":"CraftedSignal Threat Feed — Google-Workspace","version":"https://jsonfeed.org/version/1.1"}