Google Workspace Marketplace app removed from blocklist
Description
AlphaSOC detected a Marketplace application being removed from a blocklist. This change relaxes an administrative policy that previously prevented specific marketplace apps from being used. While administrators may remove apps for valid reasons, removing blocklist entries can introduce unvetted third-party apps into the tenant.
Impact
Allowing previously blocked apps can lead to increased exposure to malicious or poorly secured applications, OAuth consent risks, and elevated data access by third parties. Attackers leveraging malicious marketplace apps can request broad OAuth scopes and access user data or act on behalf of users.
Severity
| Severity | Condition |
|---|---|
Medium | Google Workspace Marketplace app removed from blocklist |
Investigation and Remediation
Identify the APPLICATION_NAME, NEW_VALUE, and the actor from the audit
record and confirm whether the change was approved. If the removal is
unauthorized, restore the blocklist setting and review which apps were allowed
as a result. Audit granted OAuth permissions and remove or restrict any newly
allowed third-party apps. Implement stricter review processes and approval
controls for modifying marketplace app policies.