Google-Workspace — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/google-workspace/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 18 May 2026 10:29:07 +0000Google Workspace Device Registration After OAuth from Suspicious ASNhttps://feed.craftedsignal.io/briefs/2026-05-google-workspace-device-registration/Mon, 18 May 2026 10:29:07 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-google-workspace-device-registration/Detects a sequence of events in Google Workspace where OAuth authorization from a suspicious ASN is immediately followed by device registration, potentially indicating attacker-controlled device enrollment after user authorization of a sensitive client, possibly related to Tycoon2FA.This detection identifies suspicious Google Workspace device registrations potentially linked to compromised accounts or malicious device enrollment. The rule focuses on detecting a specific sequence of events: a user authorizing a Google OAuth client from a high-risk Autonomous System Number (ASN), followed closely by a device registration event with the device’s account state set to “REGISTERED”. The goal is to identify instances where attackers might be using compromised credentials or residential proxies to enroll devices into an organization’s Google Workspace environment after gaining unauthorized OAuth access. This activity has been linked to threat actors such as Tycoon2FA and is further detailed in Elastic’s Google Workspace attack surface research.

Attack Chain

  1. Attacker gains access to user credentials through phishing (T1566.002) or other methods.
  2. Attacker uses compromised credentials to initiate OAuth authorization for a sensitive Google OAuth client (client ID: 77185425430.apps.googleusercontent.com) from a high-risk ASN (e.g., 9009, 45102, 215540, 29802, 62240, 204957, 395092).
  3. User unknowingly grants OAuth permissions to the malicious application.
  4. Immediately following OAuth authorization, the attacker triggers a device registration event within Google Workspace.
  5. The device registration event reports the account state as “REGISTERED,” indicating successful device enrollment.
  6. The attacker can then potentially access sensitive data or perform actions as the user from the newly registered device.
  7. The attacker leverages the registered device for persistence and lateral movement within the Google Workspace environment (T1098.005).
  8. The final objective can include data exfiltration, business email compromise, or further compromise of other accounts and systems within the organization.

Impact

Successful exploitation can lead to unauthorized access to sensitive Google Workspace data, including emails, documents, and applications. This can result in data breaches, financial loss, and reputational damage. The attacker can potentially maintain persistence within the Google Workspace environment, allowing them to continue accessing and manipulating data over an extended period. This rule aims to detect early stages of this attack, potentially preventing a full compromise of the victim’s Google Workspace account.

Recommendation

  • Deploy the provided Sigma rule to your SIEM to detect suspicious Google Workspace device registrations following OAuth authorization from high-risk ASNs. Tune the rule for your environment based on known VPNs and trusted ASNs.
  • Investigate any alerts generated by the Sigma rule by reviewing user.name, user.email, source.ip, source.as.organization.name, and google_workspace.token.client.id from the logs.
  • Review and restrict OAuth app access policies within Google Workspace to prevent unauthorized applications from gaining access to sensitive data.
  • Monitor Google Workspace google_workspace.token and google_workspace.device audit streams as mentioned in the setup section to ingest relevant events.
  • Consider increasing the from field to account for Google Workspace event lag, as suggested in the documentation.
]]>highadvisorycloudgoogle-workspacepersistenceinitial-accesstycoon2fa