Google Workspace Login Attempt with Government Attack Warning

hello@craftedsignal.io — Tue, 28 Apr 2026 00:48:14 +0000

This alert focuses on identifying potentially malicious login attempts within Google Workspace environments. The detection is based on Google’s own flagging of a login as a potential “gov_attack_warning,” suggesting that Google’s threat intelligence attributes the activity to a government-backed actor. While specific targeting information is unavailable, this alert highlights a critical area for investigation within organizations utilizing Google Workspace, especially those handling sensitive data or operating in sectors of interest to nation-state actors. This detection provides an early warning of potential compromise or data exfiltration attempts.

Attack Chain

Initial Access: An attacker attempts to log into a Google Workspace account using compromised or brute-forced credentials.
Login Attempt: The login attempt triggers a “gov_attack_warning” within Google Workspace, indicating a potential government-backed threat actor.
Privilege Escalation (Potential): If the compromised account has elevated privileges, the attacker may attempt to escalate privileges within the Google Workspace environment.
Defense Evasion (Potential): The attacker may attempt to disable security features or modify audit logs to evade detection.
Persistence (Potential): The attacker may establish persistent access through methods such as creating rogue apps or modifying account settings.
Data Access: The attacker gains access to sensitive data stored within Google Workspace, such as documents, emails, and files.
Exfiltration (Potential): The attacker exfiltrates the stolen data to an external location.
Impact: The organization suffers a data breach, reputational damage, and potential financial losses.

Impact

A successful attack could lead to the compromise of sensitive data within the Google Workspace environment, including confidential documents, emails, and other business-critical information. The potential consequences range from reputational damage and legal liabilities to financial losses and disruption of business operations. The number of affected users and the severity of the impact will depend on the scope of the attacker’s access and the sensitivity of the compromised data.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect “gov_attack_warning” events in Google Workspace logs.
Investigate any triggered alerts promptly, focusing on the affected user account and associated activity.
Review the Google Workspace audit logs for any suspicious activity leading up to the “gov_attack_warning” event.
Implement multi-factor authentication (MFA) for all Google Workspace accounts, especially those with elevated privileges.
Monitor Google Workspace activity logs for suspicious patterns, such as unusual login locations, failed login attempts, and changes to account settings.

OpenCanary Telnet Login Attempt

hello@craftedsignal.io — Sat, 26 Oct 2024 14:30:00 +0000

OpenCanary is a low-interaction honeypot designed to detect attackers on a network. This detection focuses on Telnet login attempts, a protocol rarely used legitimately in modern networks and thus a strong indicator of malicious activity. When an attacker attempts to log into a Telnet service on an OpenCanary node, it triggers this alert. This provides early warning of potential intrusion attempts, reconnaissance activities, or lateral movement by attackers who have already gained a foothold. The detection is based on OpenCanary’s logging functionality which records such login attempts, generating a log event with code 6001. This event signifies an attacker interacting with the Telnet service, which is unlikely in a well-secured and properly configured environment.

Attack Chain

Attacker scans the network for open ports, identifying a Telnet service.
Attacker attempts to connect to the Telnet service on the OpenCanary node.
Attacker enters credentials (username and password) in an attempt to authenticate.
OpenCanary logs the Telnet login attempt, generating an event with logtype 6001.
The detection rule triggers based on the OpenCanary log event.
Security team investigates the alert to determine the source and intent of the Telnet login attempt.
If the attempt is malicious, the security team takes steps to block the attacker and prevent further access.

Impact

A successful Telnet login could provide an attacker with unauthorized access to the network or specific systems. While Telnet itself may not grant immediate access to sensitive data, it can be used as a stepping stone for further exploitation and lateral movement. The compromise of even a single system can lead to data breaches, ransomware deployment, and significant disruption of services. OpenCanary serves as an early warning system, allowing defenders to identify and respond to such attempts before significant damage occurs.

Recommendation

Deploy the Sigma rule OpenCanary - Telnet Login Attempt to your SIEM to detect unauthorized Telnet login attempts.
Investigate any alerts generated by the OpenCanary - Telnet Login Attempt rule to determine the source and intent of the connection.
Review the OpenCanary configuration to ensure it is properly deployed and monitoring the appropriate network segments.
Consider disabling the Telnet service on all legitimate systems on the network to reduce the attack surface.

Intrusion — CraftedSignal Threat Feed

Google Workspace Login Attempt with Government Attack Warning

Attack Chain

Impact

Recommendation

OpenCanary Telnet Login Attempt

Attack Chain

Impact

Recommendation