<  Back to rules search

Google Workspace user forwarding email out of non Google Workspace domain

gsuite

Classification:

attack

Tactic:

Technique:

Set up the gsuite integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Create a signal when Google Workspace detects a user setting up mail forwarding to a non-Google Workspace domain.

Strategy

Monitor Google Workspace logs to detect when email_forwarding_out_of_domain events.

Triage and response

  1. Determine if the email address defined in @event.parameters.email_forwarding_destination_address is legitimate.
  2. If the forwarding destination address is not legitimate, review all activity for {{@usr.email}} and all activity around the following IP: {{@network.client.ip}}.