Researchers have found several ways to exploit Google Workspace and Google Cloud Platform features to conduct ransomware, data exfiltration, and password recovery attacks.
- GCPW attack: An attacker can extract OAuth tokens from the Windows registry or Chrome profile directory and use them to bypass multi-factor authentication and access Google Workspace APIs on behalf of the user. This could result in the theft of emails, data, or other sensitive information.
- DWD attack: An attacker can create new private keys for a service account with domain-wide delegation enabled and use them to perform API calls to Google Workspace on behalf of any identity in the domain. This could allow privilege escalation and unauthorized access to Google services.
- Importance of security measures: These attacks show the importance of using the least privileged access when assigning admin roles to platforms like Google Workspaces and ensuring that a robust MDR solution is implemented. Least privilege access can limit the scope and impact of a potential breach, while MDR can help detect and respond to malicious activities in real-time.
You can read more about it in this article: