G Suite warns admins about domain data exfiltration attempts

Google has rolled out new options for the G Suite alert center, to help administrators battle phishing emails more efficiently and spot data export operations initiated by attackers.

The new features are set to be ON by default and are available to all G Suite editions.

G Suite domain data exfiltration

New alerts and controls

The new malware/phishing/suspicious alerts are powered by machine learning, and will notify admins when malware or phishing is detected after an email has been delivered to user inboxes.

“In these events, admins in G Suite Enterprise domains can proactively investigate the emails and if necessary, bulk remove suspicious emails from users’ inbox,” the company explained.

The new data export initiated alert is triggered when a domain data export is initiated.

Exporting data from an organization’s Google domain (meaning: user data from the G Suite core services) can be initiated only by super administrators. They can initiate them for specific, legitimate reasons (e.g., backup), but their credentials can also be compromised and misused by attackers.

The alert will provide details about the super administrator/ user who initiated the data export from domain and when the operation was started. Data export operations typically take 72 hours or more, depending on the size of the domain, so this alerts allow admins to spot and react to malicious data export attempts.

Google has also rolled out the option to delete resolved or no longer needed alerts. But, to prevent malicious intruders to “disappear” alerts without a trace, it made it possible to recover deleted alerts within 30 days of deletion.

Finally, the company also made it easier for admins to dig into the details of an alert and find more information on past user activities related to it by providing direct links to specific portions of audit logs.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss