EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Google Workspace Government Attack Warning

Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor

MITRE ATT&CK

T1078
privilege-escalationpersistenceinitial-accessimpact

Detection Query

selection:
  protoPayload.serviceName: login.googleapis.com
  protoPayload.metadata.event.eventName: gov_attack_warning
condition: selection

Author

Tom Kluter

Created

2026-04-28

Data Sources

gcpgoogle_workspace.login

Platforms

gcp

References

Tags

attack.privilege-escalationattack.persistenceattack.initial-accessattack.impactattack.stealthattack.t1078
Raw Content
title: Google Workspace Government Attack Warning
id: eafe6f2b-cfec-4612-aec2-49563c33a087
status: experimental
description: Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor
references:
    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
    - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#gov_attack_warning
author: Tom Kluter
date: 2026-04-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.impact
    - attack.stealth
    - attack.t1078
logsource:
    product: gcp
    service: google_workspace.login
detection:
    selection:
        protoPayload.serviceName: 'login.googleapis.com'
        protoPayload.metadata.event.eventName: 'gov_attack_warning'
    condition: selection
falsepositives:
    - Unknown
level: medium