<  Back to rules search

Google Workspace user forwarding email out of non Google Workspace domain

gsuite

Classification:

attack

Tactic:

Technique:

Set up the gsuite integration.

Goal

Create a signal when Google Workspace detects a user setting up mail forwarding to a non-Google Workspace domain.

Strategy

Monitor Google Workspace logs to detect when email_forwarding_out_of_domain events.

Triage and response

  1. Determine if the email address defined in @event.parameters.email_forwarding_destination_address is legitimate.
  2. If the forwarding destination address is not legitimate, review all activity for {{@usr.email}} and all activity around the following IP: {{@network.client.ip}}.