Skip to content
.ca
sign in
4 minmedium

Huntress Managed ITDR for Google Workspace: Defending the New Identity Attack Surface

Threat actors are increasingly targeting Google Workspace as a foundational identity layer to pivot into interconnected SaaS applications. Modern attacks bypass traditional endpoint defenses by utilizing stolen credentials, OAuth abuse, and malicious inbox rules to conduct Business Email Compromise (BEC) and maintain persistent access.

Conf:highAnalyzed:2026-03-24reports
ActorsBusiness Email Compromise
Identity ThreatGoogle WorkspaceITDROAuth PhishingBEC

Source:Huntress

Key Takeaways

  • Google Workspace is increasingly targeted as a root identity layer to pivot into interconnected SaaS applications.
  • Modern BEC campaigns rely on multi-stage identity attacks, bypassing traditional malware and endpoint defenses.
  • Attackers frequently use malicious Gmail filter rules to hide security alerts and maintain stealth.
  • Threat actors often route authentication through datacenter infrastructure and proxies to obscure their origins.
  • OAuth and consent phishing are replacing traditional credential theft as primary initial access vectors.

Affected Systems

  • Google Workspace
  • Gmail
  • SaaS Integrations (via SSO/OAuth)

Attack Chain

Attackers gain initial access via stolen credentials, session hijacking, or OAuth abuse. They conduct discovery by reviewing emails for financial workflows and vendor relationships. To maintain stealth, they create Gmail filter rules that delete or archive security notifications. Finally, they execute fraud or phishing campaigns while establishing persistence through forwarding rules and backup access paths.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article discusses behavioral detection concepts for Google Workspace, such as monitoring for malicious inbox rules and datacenter logins, but does not provide specific detection rules or queries.

Detection Engineering Assessment

EDR Visibility: None — The attacks occur entirely within cloud identity and SaaS platforms (Google Workspace), bypassing traditional endpoint detection and response tools. Network Visibility: Low — Traffic is encrypted and occurs between cloud providers or from attacker infrastructure directly to Google, not traversing the corporate network perimeter. Detection Difficulty: Moderate — Requires behavioral analytics to distinguish legitimate user activity from attacker actions, such as identifying unusual login locations or suspicious inbox rule creation.

Required Log Sources

  • Google Workspace Admin Audit Logs
  • Google Workspace Login Audit Logs
  • Google Workspace OAuth Token Audit Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Attackers are creating Gmail filter rules to delete or archive messages containing security alerts or MFA codes.Google Workspace Admin/Email LogsDefense EvasionLow
Authentication events for user accounts are originating from known datacenter IP ranges, VPNs, or proxy services rather than typical residential or corporate ISPs.Google Workspace Login LogsInitial AccessMedium
Users are granting OAuth consent to unverified or suspicious third-party applications.Google Workspace OAuth LogsCredential AccessMedium

Control Gaps

  • Endpoint-only visibility
  • Lack of post-authentication behavioral monitoring in SaaS environments

Key Behavioral Indicators

  • Creation of inbox rules targeting security keywords
  • Logins from datacenter ASNs
  • Unexpected OAuth application consent
  • Password resets triggered from unusual infrastructure

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Review Google Workspace environments for suspicious inbox rules that delete or archive emails.
  • Audit active sessions and revoke access from unrecognized or suspicious IP addresses/ASNs.

Infrastructure Hardening

  • Restrict third-party OAuth application consent to approved applications only.
  • Implement conditional access policies restricting logins from known datacenter or anonymizer IP ranges.

User Protection

  • Enforce phishing-resistant MFA (like FIDO2/WebAuthn) for all Google Workspace accounts.
  • Monitor for and alert on password reset events originating from unusual locations.

Security Awareness

  • Train users on the risks of OAuth consent phishing and how to verify third-party application requests.
  • Educate employees on modern BEC tactics that do not rely on malicious payloads or attachments.

MITRE ATT&CK Mapping

  • T1078 - Valid Accounts
  • T1566 - Phishing
  • T1528 - Steal Application Access Token
  • T1564.008 - Hide Artifacts: Email Hiding Rules
  • T1114.003 - Email Collection: Email Forwarding Rule
  • T1550.004 - Use Alternate Authentication Material: Web Session Cookie

Related