Google Workspace custom Gmail routing changed
Description
AlphaSOC detected a change to Gmail routing or message security settings via
CREATE_GMAIL_SETTING or CHANGE_GMAIL_SETTING where SETTING_NAME matches
EMAIL_ROUTE or MESSAGE_SECURITY_RULE. These settings control mail flow,
routing paths, and message processing rules. Legitimate administrators modify
routing for mail hygiene or compliance, but adversaries can alter routes to
intercept, redirect, or prevent delivery of messages.
Impact
Unauthorized routing changes can enable interception or redirection of corporate email, loss of delivered messages, or bypassing of security controls (DLP, anti-phishing). This can lead to sensitive data exposure, failed delivery of alerts, or persistence via mail flow changes.
Severity
| Severity | Condition |
|---|---|
Low | Google Workspace custom Gmail routing changed |
Investigation and Remediation
Review the audit event parameters to determine the SETTING_NAME, the
NEW_VALUE, and the actor who made the change. Correlate with change tickets
and business approvals. If unauthorized, revert the routing change, validate
mail flow, and review mailbox logs for signs of interception or unusual
forwarding. Harden change control for mail routing, require approvals, and limit
who can change mail routing and message security rules.