The Silent Breach: Security Threats in Google Workspace
Rex Guo, Khang Nguyen
BSidesSF 2025 — Here Be Dragons · Day 2 · Main
Khang Nguyen of Cominate, in collaboration with Shu Jang Wang at Obsidian Security, walked through three real-world Google Workspace attack scenarios — Chrome extension backdooring via OAuth, domain-wide delegation enumeration, and business email compromise — and documented in each case how Google's audit logs leave defenders with critically incomplete forensic pictures. The talk concluded with a frank assessment: Google Workspace logging has "a lot to be desired," and security teams need to supplement it with custom-built monitoring using Google's own APIs. ---
AI review
A red teamer turned researcher cataloguing exactly what Google Workspace does and does not log across three real attack scenarios — OAuth extension backdooring, domain-wide delegation enumeration, and BEC via inbox rule manipulation. The answer is consistently 'not enough,' and the proposed mitigations are concrete API-level code rather than policy hand-waving. This is forensics homework the Google Workspace defender population genuinely needs.