How Hackers Hack Google Workspace — and How to Protect Yourself
How attackers compromise Google Workspace tenants and what defender controls actually reduce risk.
🛡️
Defender's Guide
This is a defender-focused resource covering attack patterns at a conceptual level so you can recognise threats and protect yourself or your organisation. The page does not include step-by-step exploitation procedures. If you suspect you are currently being targeted or have been compromised, scroll to the recovery section below.
What attackers want from Google Workspace
Google Workspace (formerly G Suite) is the identity and productivity platform for millions of organisations — Gmail, Drive, Docs, Meet, Calendar, Chat, plus the underlying Google identity that integrates with hundreds of SaaS applications via SSO. Compromised Workspace tenants enable business email compromise (BEC), data exfiltration from Drive, access to SSO-linked applications, and in some cases administrative access to the organisation's entire cloud footprint.
The threat landscape mirrors Microsoft 365 — credential-based attacks dominate (phishing, credential stuffing, AiTM 2FA bypass), OAuth consent-grant phishing is active, and post-compromise BEC is the most common monetisation path. Google provides strong security capabilities (Advanced Protection Program, Context-Aware Access, VPC Service Controls for enterprise tiers) but many are not enabled by default — they require active configuration.
This page is written for IT and security teams managing Google Workspace tenants. The gap between "default Workspace tenant" and "hardened Workspace tenant" is substantial and closable with documented practices. Workspace's security capabilities at Business Plus and Enterprise tiers are genuinely strong; the investment return from proper configuration is high relative to licensing cost.
How attackers actually do it
Conceptual attack categories, not exploitation procedures. Understanding these patterns is what lets you recognise and defend against them.
Adversary-in-the-Middle (AiTM) phishing against Google login
Same pattern as Microsoft 365 — attacker proxies the victim through real Google sign-in, captures credentials AND 2FA code, steals resulting session token. Defeats TOTP, push-notification, and SMS 2FA. Phishing-resistant MFA (hardware security keys, Google Advanced Protection) is the answer.
Password spraying against Workspace tenants
Low-and-slow attempts using common passwords against lists of tenant users (enumerated via external data, LinkedIn, or MX records indicating Workspace use). Avoids account lockout triggers; widely used baseline attack against Workspace tenants.
OAuth consent-grant phishing
Attacker-controlled apps request OAuth scopes (Gmail read, Drive read, Calendar access). Victim approves during plausible "new productivity tool" flow. Attacker has persistent token-based access independent of password changes. Required defence: restrict unverified-app consent, audit Marketplace apps regularly.
Session-token theft via info-stealer malware
Info-stealers harvest Google session cookies and tokens from browsers. Attacker imports cookies — instantly authenticated without password or 2FA. Context-Aware Access policies evaluating device health can mitigate; basic Workspace configurations do not.
Business Email Compromise after Gmail account takeover
Standard BEC playbook: inbox filters forward mail to attacker, fraudulent wire-transfer instructions sent from compromised executive/finance account, vendor communications redirected. Workspace tenants experience BEC at rates comparable to M365 — same underlying attack pattern.
Drive / Docs exfiltration at scale
Post-compromise, attackers download Drive contents, search for sensitive documents (payment instructions, credentials, PII), and often establish persistence via share-to-external permissions that survive password changes. Google Vault and Cloud Identity audit logs document the access but detection requires active monitoring.
Admin role abuse and super-admin targeting
Google Workspace super-admins have broad tenant-wide control. Targeted attacks against super-admin accounts (especially where MFA is not hardware-backed) can result in tenant-wide compromise. Privileged-access controls (Admin SDK audit logging, restricted admin roles, Advanced Protection for admins) are the defensive direction.
Google Groups abuse for data access
Misconfigured Google Groups with overly-permissive settings (external members allowed, public read, etc.) expose internal communications. Not always "attack" per se, but regular access-configuration failures expose data to people who should not have it.
How to recognise compromise
Signs that your google workspace may have been compromised:
Login alerts from unusual locations or impossible-travel patterns
Google Workspace Admin → Reports → Audit → User Login. Correlate with geographic context. Google Cloud Identity Premium adds automated impossible-travel detection.
Filter rules creating external forwarding in Gmail
Post-compromise standard pattern. Gmail filters auto-forwarding to external addresses, or attacker-added forwarding addresses. Check via Admin → Gmail → User Settings → Forwarding + filters. Alert on any new external forwarding.
Unusual Marketplace app installations
Admin → Marketplace apps → review recent installations. Unfamiliar apps, especially with broad permissions, warrant investigation. Restrict user installations of Marketplace apps to admin-approved lists for tight control.
Mass-download activity from Drive
Drive audit logs showing unusually high download volume from individual users. Either intentional bulk work or exfiltration in progress; investigate. Google Workspace Alert Center surfaces some of these automatically.
Admin role changes or new super-admin assignments
Admin → Admin roles → Administrators. Any changes outside of approved change management = immediate investigation. Role assignment is a classic attacker persistence pattern.
OAuth tokens with broad permissions granted recently
Admin → Security → API controls → Manage Third-Party App Access. Review recently-granted high-risk scopes (gmail.modify, drive.readonly, etc.). User-consented OAuth grants are a persistent foothold if unnoticed.
What actually protects you
Concrete actions ranked by impact. Items marked critical are the highest-leverage protections; do those first.
Enforce 2-Step Verification tenant-wide
Admin → Security → 2-Step Verification → Enforce for all users. Single most impactful protection; defeats most credential stuffing. Configure with reasonable grace period and user communication.
Require phishing-resistant MFA for privileged accounts
Hardware security keys (YubiKey, Titan Key) for super-admins, admins, and high-value users (executives, finance). Google supports FIDO2/WebAuthn natively. Advanced Protection Program bundles this with additional protections. Defeats AiTM phishing that bypasses TOTP.
Enable Google Advanced Protection Program for high-risk users
Google's strongest user-level protection. Requires hardware keys for sign-in, blocks most third-party app access, adds extra account-recovery verification. Worth enrolling: super-admins, executives, finance team, legal, anyone with significant attack target value. Free with any Workspace tier.
Restrict OAuth app permissions and Marketplace installations
Admin → Security → API controls → App access control. Block user-consent for unverified apps, restrict high-risk OAuth scopes to admin approval, review Marketplace apps allowlist. Prevents most OAuth consent phishing outcomes.
Deploy Context-Aware Access (Enterprise tiers)
Conditional access based on user, device, location, application. Require managed devices for sensitive apps, block access from anonymous VPN, require stronger auth for risky sign-ins. Business Standard and below do not have this; Enterprise tiers do.
Enable Alert Center and investigate alerts promptly
Admin → Alert Center. Automated alerts for suspicious activity (impossible travel, mass download, filter creation). Requires actual review and response to be valuable; many tenants generate alerts but do not investigate them.
Configure Gmail advanced settings for phishing protection
Admin → Apps → Google Workspace → Gmail → Safety. Enable attachment scanning (especially Enhanced Pre-Delivery Message Scanning), link protection, and suspicious-email protections. Business Plus and Enterprise tiers include more granular controls.
Use Google Vault for compliance retention and litigation hold
Vault retains Gmail, Drive, Chat data per policy. Required for many regulated industries; valuable for incident investigation even without regulatory requirement. Business Plus and above include Vault.
Audit Groups configuration and external sharing regularly
Admin → Groups → Review settings. Drive → external sharing review. Over-permissive sharing accumulates over time; regular audits catch exposure before it becomes an incident.
Separate super-admin accounts from regular-use accounts
Super-admin accounts should be used only for admin tasks, not for day-to-day work. Different password, hardware key required, logged in only when performing admin work. Reduces attack surface for the highest-privilege accounts substantially.
Frequently Asked Questions
Broadly comparable; different strengths. Google's default security posture tends to be slightly better out of the box — cleaner OAuth consent model, strong default-on protections. Microsoft 365 has more granular enterprise control and deeper integration with Windows endpoint security. Both reach comparable security maturity with proper configuration. The decision between them is usually about other factors (pricing, application preferences, existing infrastructure); security-wise both are defensible platforms when configured well.
Google's highest-security individual-account tier. Requires hardware security keys for sign-in, blocks most third-party apps from accessing the account, adds stricter account-recovery verification. Free with any Google account including Workspace. Initially designed for journalists and activists; now widely recommended for executives, admins, and anyone with elevated attack exposure. Configuration is straightforward; user-experience impact is modest with modern hardware keys.
Multi-layered approach: (1) hardware-backed MFA for finance team and executives (the highest-risk targets), (2) Advanced Protection Program for same users, (3) Gmail advanced anti-phishing controls enabled, (4) documented out-of-band verification procedures for wire transfers (phone confirmation to known numbers before any transfer), (5) training finance team on BEC patterns specifically. BEC is fundamentally a human-process attack; technical controls help but procedural controls carry most of the defensive weight.
Potentially catastrophic. Super-admin has tenant-wide control — can modify any user, create new admins, change security policies, access or export any data. Immediate actions: remove compromised account from super-admin role (if other super-admins exist), revoke all sessions, reset password, enable hardware-key MFA, review audit logs for scope of attacker activity. If organisation has only one super-admin and that one is compromised: emergency Google support engagement. This scenario is why multiple super-admins with hardware-key MFA are important baseline.
Workspace Enterprise feature that evaluates access attempts against policies based on user, device, location, application risk. Examples: require managed device for Drive access to sensitive shared drives, block access from anonymous VPN or Tor, require hardware-key MFA for admin actions. Equivalent to Azure AD Conditional Access. Essentially required for any Workspace deployment beyond small-business scale in 2026.
Prevention: restrict user-consent for unverified Google apps (Admin → Security → API controls). Require admin review for high-risk OAuth scopes. Block unused Marketplace apps. Detection: alert on unusual OAuth grants, regular audit of Marketplace apps, investigate any app with Gmail/Drive read permissions that users do not recognise. Response: revoke malicious app access, force session reset for affected users, audit data the app may have accessed.
Yes, arguably more than larger organisations. Small businesses are high-volume targets for BEC specifically — attackers extract substantial per-incident value with less detection capability facing them. Workspace Business Standard plus 2SV enforcement plus Advanced Protection for the owner and financial decision-makers is a defensible baseline for small business at modest cost. The attack volume is real; the defensive investment return is high.
Groups are frequently over-permissioned by default. Common issues: external users allowed to join, message archives publicly visible, group ownership without oversight. Admin → Groups → Settings → Default Group Settings controls defaults. Per-group review of high-sensitivity Groups recommended. Sensitive discussions often happen in Groups with inadvertent external exposure; audit catches before it matters.
Cloud Identity is Google's identity service separate from Workspace. Premium tier adds advanced security features: automated anomaly detection, Context-Aware Access (also available in Workspace Enterprise), security investigation tool, device management integration. For organisations needing identity services across Workspace and other cloud services, Cloud Identity Premium provides consolidation. Not needed for Workspace-only organisations at Enterprise tier.
Yes, across those and most major compliance frameworks. Google publishes current compliance attestations. Specific configurations required for certain compliance needs (HIPAA requires BAA, certain GDPR scenarios require EU-only data residency via Assured Workloads). Compliance is not automatic — proper configuration and supporting documentation required. Consult Google Workspace compliance resources and your compliance team for specific deployment details.