Google Workspace data transfer request created
Description
AlphaSOC detected an audit event matching CREATE_DATA_TRANSFER_REQUEST where
the USER_EMAIL and DESTINATION_USER_EMAIL belong to different registered
domains. Adversaries can abuse data transfer requests to move or exfiltrate
large volumes of user data to an external account.
Impact
A successful transfer can expose mail, drive, and other account data to an external organization or attacker-controlled account, enabling data exfiltration, credential harvesting from transferred content, and potential lateral movement if transferred accounts are accessible to attackers.
Severity
| Severity | Condition |
|---|---|
Low | Google Workspace data transfer request created |
Investigation and Remediation
Review the Google Workspace audit logs for the CREATE_DATA_TRANSFER_REQUEST
event and inspect USER_EMAIL and DESTINATION_USER_EMAIL. Validate the
transfer request with the requesting user and the destination organization;
check for anomalous requester IPs, recently created accounts, or unexpected
admin activity. If unauthorized, cancel the transfer, revoke any resulting data
access, reset affected user credentials, and rotate any exposed service account
keys.