Google Workspace external email forwarding
Description
AlphaSOC detected that email forwarding to an external domain was configured on a Google Workspace account. This means copies of incoming emails are sent outside the organization, which can indicate data exfiltration.
Impact
External email forwarding provides attackers with ongoing access to all incoming emails without needing to maintain access to the compromised account. Sensitive information, confidential communications, and password reset emails can be silently copied to attacker-controlled addresses.
Severity
| Severity | Condition |
|---|---|
Low | Email forwarding to external domain set |
Investigation and Remediation
Review Google Workspace audit logs to identify which user configured the forwarding rule and the destination address. Verify with the user whether the forwarding was intentionally configured for a legitimate purpose.
If unauthorized, immediately remove the forwarding rule and reset the user's credentials. Review the destination domain to assess the threat. Examine the account for other signs of compromise such as suspicious login activity or additional mail rules. Check for any sensitive emails that may have been forwarded during the active period.
Known False Positives
- Business partners or contractors receiving copies of relevant emails