Skip to content
Threat Feed

Tag

Google_workspace

12 briefs RSS
low advisory

Google Workspace User Organizational Unit Changed

Detects when a Google Workspace user's organizational unit is changed, potentially indicating an adversary attempting to inherit permissions and gain unauthorized access to resources and applications.

Google Workspace cloud google_workspace persistence privilege_escalation
2r 2t
low advisory

Google Workspace Suspended User Account Renewed

Detection of a renewed suspended user account in Google Workspace, potentially indicating an adversary regaining access to the organization.

Google Workspace google_workspace initial_access persistence
2r 2t
medium advisory

External User Added to Google Workspace Group

Detects an external Google Workspace user account being added to an existing group, potentially allowing adversaries to intercept shared files or emails.

Google Workspace google_workspace initial_access persistence cloud
2r 2t
medium advisory

Google Workspace Drive Data Transfer or Takeout Export Initiated

This rule detects when Google Workspace administrators initiate bulk movement or export of user Drive data, including admin data transfer requests and Customer Takeout export jobs which can be abused by adversaries with administrative access to stage or exfiltrate sensitive files.

Google Workspace +1 google_workspace data_exfiltration cloud
2r 2t
medium advisory

Google Workspace Device Registration Burst for Single User

Detects bursts of Google Workspace device registration events for a single user exceeding three distinct device registrations within one minute, indicative of AiTM phishing or stolen OAuth token replay attacks.

Google Workspace google_workspace device_registration persistence initial_access credential_access
1r 3t
medium advisory

Google Workspace User Sign-in from Atypical Device Type

This rule detects when a Google Workspace user authenticates from a device type that hasn't been observed for that user in the past 14 days, potentially indicating account compromise via AiTM kits or stolen OAuth refresh tokens.

Google Workspace google_workspace persistence account_compromise device_registration
2r 2t
medium advisory

Google Workspace Application Removed from Blocklist

An adversary with Google Workspace administrative privileges may remove an application from the explicit blocklist to enable its distribution and usage, potentially indicating unauthorized activity and defense evasion.

Google Workspace google_workspace defense_evasion cloud
2r 2t
medium advisory

Google Workspace BitLocker Setting Disabled

Detection of Google Workspace administrators disabling the BitLocker setting, potentially allowing adversaries with valid account access to decrypt sensitive data on managed Windows devices.

Google Workspace +2 google_workspace bitlocker defense_evasion
2r 2t
medium advisory

External User Added to Google Workspace Group

Detection of an external Google Workspace user account being added to an existing group, potentially indicating an adversary attempting to intercept shared files or emails by adding accounts where the domain name of the target doesn't match the Google Workspace domain.

Google Workspace google_workspace initial_access account_manipulation
2r 2t
medium advisory

GSuite Suspicious File Share with Phishing Filenames

This analytic detects suspicious file sharing activity in Google Workspace where files are shared with names commonly associated with phishing campaigns, such as 'invoice,' 'shipment,' or 'delivery', potentially leading to credential theft or malware infection.

Google Workspace +1 phishing gsuite google_workspace
2r 1t
low advisory

Google Workspace Suspended User Account Renewed

Detection of a renewed, previously suspended user account in Google Workspace, potentially indicating unauthorized access or persistence by an adversary.

Google Workspace google_workspace initial_access persistence
2r 3t
medium advisory

Google Workspace Marketplace Restrictions Modified to Allow Any App

An adversary may modify Google Workspace Marketplace restrictions to allow installation of any application, potentially enabling the deployment of malicious APKs to end users within the Google Workspace environment, bypassing security restrictions.

Google Workspace google_workspace defense_evasion cloud
2r 2t