Google Workspace Custom Gmail Route Created or Modified
Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/09/13"
3integration = ["google_workspace"]
4maturity = "production"
5updated_date = "2024/09/23"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route
11for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to
12capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default,
13all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and
14outbound mail.
15"""
16false_positives = [
17 """
18 Administrators may create custom email routes in Google Workspace based on organizational policies, administrative
19 preference or for security purposes regarding spam.
20 """,
21]
22from = "now-130m"
23index = ["filebeat-*", "logs-google_workspace*"]
24interval = "10m"
25language = "kuery"
26license = "Elastic License v2"
27name = "Google Workspace Custom Gmail Route Created or Modified"
28note = """## Triage and analysis
29
30### Investigating Google Workspace Custom Gmail Route Created or Modified
31
32Gmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.
33
34Threat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.
35
36This rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.
37
38#### Possible investigation steps
39
40- Identify the user account that created the custom email route and verify that they should have administrative privileges.
41- Review the added recipients from the custom email route and confidentiality of potential email contents.
42- Identify the user account, then review `event.action` values for related activity within the last 48 hours.
43- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting > Audit and investigation > Gmail log events`.
44- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.
45- Identified URLs or attachments can be submitted to VirusTotal for reputational services.
46
47### False positive analysis
48
49- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.
50
51### Response and remediation
52
53- Initiate the incident response process based on the outcome of the triage.
54- Disable or limit the account during the investigation and response.
55- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
56 - Identify the account role in the cloud environment.
57 - Assess the criticality of affected services and servers.
58 - Work with your IT team to identify and minimize the impact on users.
59 - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
60 - Identify any regulatory or legal ramifications related to this activity.
61- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
62- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
63- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.
64- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
65- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
66
67## Setup
68
69The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
70
71### Important Information Regarding Google Workspace Event Lag Times
72- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
73- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
74- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
75- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
76- See the following references for further information:
77 - https://support.google.com/a/answer/7061566
78 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
79references = [
80 "https://support.google.com/a/answer/2685650?hl=en",
81 "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
82 "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
83 ]
84risk_score = 47
85rule_id = "9510add4-3392-11ed-bd01-f661ea17fbce"
86severity = "medium"
87tags = [
88 "Domain: Cloud",
89 "Data Source: Google Workspace",
90 "Tactic: Collection",
91 "Resources: Investigation Guide",
92]
93timestamp_override = "event.ingested"
94type = "query"
95
96query = '''
97event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING")
98 and google_workspace.event.type:"EMAIL_SETTINGS" and google_workspace.admin.setting.name:("EMAIL_ROUTE" or "MESSAGE_SECURITY_RULE")
99'''
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1114"
106name = "Email Collection"
107reference = "https://attack.mitre.org/techniques/T1114/"
108[[rule.threat.technique.subtechnique]]
109id = "T1114.003"
110name = "Email Forwarding Rule"
111reference = "https://attack.mitre.org/techniques/T1114/003/"
112
113
114
115[rule.threat.tactic]
116id = "TA0009"
117name = "Collection"
118reference = "https://attack.mitre.org/tactics/TA0009/"
Triage and analysis
Investigating Google Workspace Custom Gmail Route Created or Modified
Gmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.
Threat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.
This rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.
Possible investigation steps
- Identify the user account that created the custom email route and verify that they should have administrative privileges.
- Review the added recipients from the custom email route and confidentiality of potential email contents.
- Identify the user account, then review
event.action
values for related activity within the last 48 hours. - If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to
Reporting > Audit and investigation > Gmail log events
. - If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.
- Identified URLs or attachments can be submitted to VirusTotal for reputational services.
False positive analysis
- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.
Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Disable or limit the account during the investigation and response.
- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
- Identify the account role in the cloud environment.
- Assess the criticality of affected services and servers.
- Work with your IT team to identify and minimize the impact on users.
- Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
- Identify any regulatory or legal ramifications related to this activity.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
- Implement security best practices outlined by Google.
- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
Setup
The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Important Information Regarding Google Workspace Event Lag Times
- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
- By default,
var.interval
is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information:
References
Related rules
- Google Drive Ownership Transferred via Google Workspace
- Application Added to Google Workspace Domain
- Application Removed from Blocklist in Google Workspace
- Domain Added to Google Workspace Trusted Domains
- External User Added to Google Workspace Group