Google Workspace Custom Gmail Route Created or Modified

Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2022/09/13"
  3integration = ["google_workspace"]
  4maturity = "production"
  5updated_date = "2024/05/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route
 11for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to
 12capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default,
 13all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and
 14outbound mail.
 15"""
 16false_positives = [
 17    """
 18    Administrators may create custom email routes in Google Workspace based on organizational policies, administrative
 19    preference or for security purposes regarding spam.
 20    """,
 21]
 22from = "now-130m"
 23index = ["filebeat-*", "logs-google_workspace*"]
 24interval = "10m"
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "Google Workspace Custom Gmail Route Created or Modified"
 28note = """## Triage and analysis
 29
 30### Investigating Google Workspace Custom Gmail Route Created or Modified
 31
 32Gmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.
 33
 34Threat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.
 35
 36This rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.
 37
 38#### Possible investigation steps
 39
 40- Identify the user account that created the custom email route and verify that they should have administrative privileges.
 41- Review the added recipients from the custom email route and confidentiality of potential email contents.
 42- Identify the user account, then review `event.action` values for related activity within the last 48 hours.
 43- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting > Audit and investigation > Gmail log events`.
 44- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.
 45- Identified URLs or attachments can be submitted to VirusTotal for reputational services.
 46
 47### False positive analysis
 48
 49- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.
 50
 51### Response and remediation
 52
 53- Initiate the incident response process based on the outcome of the triage.
 54- Disable or limit the account during the investigation and response.
 55- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
 56    - Identify the account role in the cloud environment.
 57    - Assess the criticality of affected services and servers.
 58    - Work with your IT team to identify and minimize the impact on users.
 59    - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
 60    - Identify any regulatory or legal ramifications related to this activity.
 61- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
 62- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
 63- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.
 64- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
 65- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 66
 67## Setup
 68
 69The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
 70
 71### Important Information Regarding Google Workspace Event Lag Times
 72- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
 73- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
 74- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
 75- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 76- See the following references for further information:
 77  - https://support.google.com/a/answer/7061566
 78  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
 79references = ["https://support.google.com/a/answer/2685650?hl=en"]
 80risk_score = 47
 81rule_id = "9510add4-3392-11ed-bd01-f661ea17fbce"
 82severity = "medium"
 83tags = [
 84    "Domain: Cloud",
 85    "Data Source: Google Workspace",
 86    "Tactic: Collection",
 87    "Resources: Investigation Guide",
 88]
 89timestamp_override = "event.ingested"
 90type = "query"
 91
 92query = '''
 93event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING")
 94  and google_workspace.event.type:"EMAIL_SETTINGS" and google_workspace.admin.setting.name:("EMAIL_ROUTE" or "MESSAGE_SECURITY_RULE")
 95'''
 96
 97
 98[[rule.threat]]
 99framework = "MITRE ATT&CK"
100[[rule.threat.technique]]
101id = "T1114"
102name = "Email Collection"
103reference = "https://attack.mitre.org/techniques/T1114/"
104[[rule.threat.technique.subtechnique]]
105id = "T1114.003"
106name = "Email Forwarding Rule"
107reference = "https://attack.mitre.org/techniques/T1114/003/"
108
109
110
111[rule.threat.tactic]
112id = "TA0009"
113name = "Collection"
114reference = "https://attack.mitre.org/tactics/TA0009/"

Triage and analysis

Investigating Google Workspace Custom Gmail Route Created or Modified

Gmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.

Threat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.

This rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.

Possible investigation steps

  • Identify the user account that created the custom email route and verify that they should have administrative privileges.
  • Review the added recipients from the custom email route and confidentiality of potential email contents.
  • Identify the user account, then review event.action values for related activity within the last 48 hours.
  • If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to Reporting > Audit and investigation > Gmail log events.
  • If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.
  • Identified URLs or attachments can be submitted to VirusTotal for reputational services.

False positive analysis

  • This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.

Response and remediation

  • Initiate the incident response process based on the outcome of the triage.
  • Disable or limit the account during the investigation and response.
  • Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
    • Identify the account role in the cloud environment.
    • Assess the criticality of affected services and servers.
    • Work with your IT team to identify and minimize the impact on users.
    • Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
    • Identify any regulatory or legal ramifications related to this activity.
  • Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
  • Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
  • Implement security best practices outlined by Google.
  • Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
  • Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).

Setup

The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Important Information Regarding Google Workspace Event Lag Times

  • As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
  • This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
  • To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
  • By default, var.interval is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
  • See the following references for further information:

References

Related rules

to-top