Google Workspace Marketplace domain app enabled
Description
AlphaSOC detected a Google Workspace Marketplace app was enabled at the domain level. Enabling domain apps can grant third-party applications OAuth scopes and access to organizational data. Malicious or misconfigured apps may request excessive scopes or be used by attackers to persist and exfiltrate data.
Impact
A domain-enabled app with broad OAuth scopes can read or modify user data across the organization, access Drive/Calendar/Gmail, or act on behalf of users. Compromised or malicious apps can be used for data exfiltration, lateral movement, or automated account manipulation.
Severity
| Severity | Condition |
|---|---|
Low | Google Workspace Marketplace domain app enabled |
Investigation and Remediation
Inspect the app details and OAuth scopes in the audit record, identify the app publisher and consent flow. Revoke app access if unauthorized, rotate any credentials or API keys associated with the app, and review token usage for suspicious activity. Enforce an app vetting process, restrict domain-wide app installation to a small admin group, and require least-privilege scopes for integrations.