Google has announced the strengthening of safeguard measures for its Workspace customers. You may well be using Workspace without realising it. If you’re using a Google product such as Gmail, Calendar, Drive, or Google Docs Editors Suite (among other apps), then congratulations: you are fully inside the Workspace ecosystem.
Late last year, changes were made to try and catch out an attacker rifling through Google accounts and attempting to access certain critical settings or functionality.
When an account (any account, not just one offered by Google) is taken over, there’s going to be a specific flow the compromiser makes use of.
For example, if I hijack your email the first thing I’ll try and do is lock you out by changing your password. After that, I might pay a visit to the backup email address and try to stop you from regaining access that way. All of your accounts will have hot button settings which attackers will make a beeline for.
Google’s response to assist Workspace administrators was presenting challenges to users when performing sensitive actions in unusual ways not seen before. Logging in far away from your usual location? Following an odd or significantly different pattern when trying to log in? These actions and more could trigger the challenge response.
The new additions related to features in Gmail. Specifically:
- Filters: creating a new filter, editing an existing filter, or importing filters.
- Forwarding: Adding a new forwarding address from the Forwarding and POP/IMAP settings.
- IMAP access: Enabling the IMAP access status from the settings. (Workspace admins control whether this setting is visible to end users or not)
With these in place, if an attacker hijacked your mail and then tried to sneakily add a forwarding address then Google would flag it and issue a “Verify it’s you” challenge. Depending on how the system has been set up by the admin, a relevant identity challenge will then take place. If the challenge is failed, the user will be sent a critical security alert notification on a trusted device to let them know someone is up to no good.
Cleverly, Google has designed the system so that even an incomplete challenge will send out an alert. Sorry attackers, you can’t just ignore it or back out!
At this point, you may be wondering if there's a list of activities you can expect to trigger a challenge as well as a list of potential challenges. Fear not, the relevant Google Support page has it covered.
Here’s some of the more common challenge triggers:
- View activity saved in your Google Account
- Change your password
- View saved passwords
- Turn on 2-Step Verification
- Download your data
- Change channel ownership on YouTube Creator Studio
- Change Google Ads account budget
- Buy any other product or service from Google
- Example: Buy a Google Pixel or Nest device from Google Store
Here’s how you can verify your identity. It’s important to note that in order to verify yourself, the device you use to do this must have been registered for a period of seven days minimum:
- A device associated with the recovery phone number for your account
- A device that's signed in to your Google Account
- For accounts with 2-Step Verification turned on
- A security key that’s been added to your Google Account
- A verification code from Google Authenticator
If you fail the challenge you can still use and access your account, but updating sensitive information or completing sensitive actions are not allowed for a seven day period.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.