-
Google Workspace Impossible Travel Login
Jun 22, 2026 · Domain: Cloud Domain: Identity Data Source: Google Workspace Data Source: Google Workspace Audit Logs Data Source: Google Workspace User log events Use Case: Threat Detection Use Case: Identity and Access Audit Tactic: Initial Access Tactic: Credential Access Resources: Investigation Guide ·Detects successful Google Workspace sign-ins for the same user from two geographically separated locations within a 90-minute window, where the implied travel speed between the two points exceeds what is physically possible (>=800 km/h, faster than modern commercial airliners) and the geographic separation is at least 500 km. This pattern indicates either VPN/proxy use or an adversary signing in to a compromised account from a different location than the legitimate user.
Read More -
Detects the first time a user authorizes a third-party Google OAuth application that requests identity or sign-in scopes. Adversaries may abuse compromised credentials or phishing-linked consent flows to register novel OAuth clients, obtain refresh tokens, and authenticate as valid users while evading password-only detections.
Read More -
Detects when a super administrator authorizes domain-wide delegation (DWD) API client access for a Google Cloud service account or OAuth client. DWD lets an application impersonate users and access Workspace APIs across the tenant. Adversaries with admin access may register or authorize a malicious client with broad scopes to maintain API-based persistence and access mail, drive, and directory data without relying on a single user's password alone.
Read More -
Application Added to Google Workspace Domain
Detects when an administrator adds a Google Workspace Marketplace application to the domain. Adversaries with administrative access may register a malicious OAuth application to establish long-lived API access to mail, drive, and other Workspace data, maintaining persistence and enabling collection without relying on a single user password alone.
Read More -
Detects when a user copies a Google document, spreadsheet, form, or script from an external Drive into their Workspace Drive and shortly after authorizes a custom Google OAuth application. Adversaries may send spearphishing links with a /copy URI parameter so the victim replicates a malicious object locally. Container-bound Apps Script can then execute on open and prompt the user for OAuth consent, granting the attacker's application access to Workspace data.
Read More -
Domain Added to Google Workspace Trusted Domains
Detects when an administrator adds a domain to the Google Workspace allowlisted (trusted) domains list. Adversaries with administrative access may onboard a domain they control to relax cross-organization sharing restrictions, enabling data collection and exfiltration through Drive, Chat, and other services that honor the tenant trust boundary.
Read More -
Detects when an anonymous user views, copies, or downloads a private key or credential file from Google Drive via an anyone-with-the-link share. Adversaries who obtain or create open Drive links can harvest encryption keys and secrets stored in user drives, then use those materials to decrypt data, authenticate to services, or expand access beyond the initial compromise.
Read More -
Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.
Read More -
Google Workspace 2SV Policy Disabled By User
Detects when a Google Workspace user disables 2-step verification (2SV) on their account. An adversary with access to a compromised account may remove 2SV to eliminate the second authentication factor, leaving password-only access and making future sign-ins easier to abuse, relay, or maintain without triggering MFA challenges.
Read More -
Detects when an administrator disables multi-factor authentication enforcement or removes the ability for users to enroll in 2-step verification across a Google Workspace organization or organizational unit. Adversaries with administrative access may weaken tenant-wide authentication requirements to enable password-only sign-ins, facilitate credential abuse at scale, and reduce friction for follow-on account takeover across the domain.
Read More -
Detects when a Google Workspace administrator modifies organization password policy settings. Adversaries with administrative access may weaken password requirements, such as disabling strong password enforcement, allowing password reuse, or reducing minimum length, to increase the success of password spraying and credential stuffing against tenant accounts and to sustain access after initial compromise.
Read More -
Assigning an administrative role to a user or group grants elevated privileges within Google Workspace, including access to the Google Admin console and the ability to manage domain resources and applications. Adversaries may assign administrator roles to an existing account or a newly created account/group to establish persistence, facilitate privilege escalation, and enable follow-on actions across the tenant. In particular, users with Super Admin privileges can bypass single sign-on (SSO) if it is enabled in Google Workspace.
Read More -
Detects when a custom administrative role is deleted in Google Workspace. Adversaries may delete a custom admin role to disrupt delegated administration, remove security team access, or hinder incident response. Deleting a role removes the privileges it granted from all assigned users and groups, which can cause operational impact or blind spots during an active investigation.
Read More -
Detects when a custom administrative role is created in Google Workspace. Unlike prebuilt admin roles, custom roles allow granular selection of privileges across Google services and can be assigned to users or groups. Adversaries may create a custom admin role to craft elevated permissions tailored to their objectives, then assign that role to a compromised or attacker-controlled account to establish persistence and enable follow-on actions such as modifying security controls, granting OAuth access, or changing mail routing.
Read More -
Detects when a custom admin role or its privileges are modified in Google Workspace. Adversaries may add or expand privileges on an existing role to elevate access for assigned users or groups without creating a new role or directly assigning a well-known admin role. Because privilege changes take effect for all principals assigned the role, modifying role permissions can silently expand access across multiple accounts.
Read More -
Application Removed from Blocklist in Google Workspace
Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.
Read More -
Google Workspace Bitlocker Setting Disabled
Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.
Read More -
Google Workspace Gmail Routing or Forwarding Rule Created or Modified
Detects when a Gmail routing, mail-forwarding, or custom mail-host setting is created or modified in Google Workspace. Adversaries with administrative access can add Routing rules (also deliver to / change envelope recipient), recipient address map forwarding, or mail hosts and outbound gateways to copy or redirect sensitive email for collection.
Read More -
Google Workspace Restrictions for Marketplace Modified to Allow Any App
Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.
Read More -
Forwarded Google Workspace Security Alert
Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.
Read More -
Detects an external Google Workspace user account being added to an existing group. Adversaries may add external user accounts as a means to intercept shared files or emails with that specific group.
Read More -
Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.
Read More -
Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.
Read More -
Google Workspace Drive Data Transfer or Takeout Export Initiated
Detects when Google Workspace administrators initiate bulk movement or export of user Drive data. This includes admin data transfer requests that reassign a user's Drive files to another account, and Customer Takeout export jobs that package organizational data for download or off-platform transfer. Adversaries with administrative access may abuse these mechanisms to stage or exfiltrate sensitive files.
Read More -
Detects bursts of Google Workspace device registration events for the same user, where three or more distinct "google_workspace.device.id" values are emitted in a one-minute window. Although "DEVICE_REGISTER_UNREGISTER_EVENT" fires routinely on session/sync registration and is not a true physical device enrollment, legitimate user activity typically produces fewer than three distinct device IDs in a single minute. A high-cardinality burst is the fingerprint behavior of AiTM phishing-kit relays (Tycoon2FA Google variant, EvilGinx phishlets) and stolen-OAuth-token replay tooling, both of which mint a new session attestation per relay or replay attempt.
Read More -
Detects the first time a Google Workspace user is observed authenticating from a device of a given type (e.g., WINDOWS, MAC, ANDROID, IOS, LINUX) within a historical window. Note that "DEVICE_REGISTER_UNREGISTER_EVENT" events do not represent one-time physical device enrollments; the Google Reports API emits a fresh "google_workspace.device.id" on each event, and the same physical device may produce multiple events per day as sessions/sync renewals occur. The rule therefore surfaces a user authenticating from a new device type, not a new physical device. This is still high-fidelity because adversaries who compromise a Workspace identity via AiTM kits or stolen OAuth refresh tokens frequently relay sessions from device types that diverge from the legitimate user's baseline (e.g., a WINDOWS session appearing for a known macOS user, or simultaneous WINDOWS+MAC sessions within minutes), which is the canonical kit fingerprint. Because the underlying token retains access after password rotation, treat unexpected device-type divergence as a compromise indicator and revoke tokens, not just credentials.
Read More -
Google Workspace User Login with Unusual ASN
May 22, 2026 · Domain: Cloud Domain: Identity Data Source: Google Workspace Data Source: Google Workspace Audit Logs Data Source: Google Workspace User Log Events Use Case: Threat Detection Use Case: Identity and Access Audit Tactic: Initial Access Tactic: Credential Access Resources: Investigation Guide ·Detects the first time a Google Workspace user successfully signs in from a given source ASN within a 14-day historical window. Most users have a stable set of egress ASNs (home ISP, corporate VPN, mobile carrier). A new ASN for a user is a meaningful anomaly as it surfaces ISP changes and travel, but also catches AiTM phishing-kit relays whose egress ASN was never previously associated with the user.
Read More -
Detects when a Google Workspace account completes OAuth authorization for a specific Google OAuth client from a high-risk autonomous system number (ASN), followed within 30 seconds by a device registration event with account state REGISTERED. This sequence can indicate device enrollment or join flows initiated from attacker-controlled or residential-proxy infrastructure after a user authorizes a sensitive client.
Read More