Cyber Security

Google Workspace Identity Security Crisis: 127% Attack Surge – Your 8-Step Defense Plan

- by Ansari Alfaiz

The identity security landscape for Google Workspace has fundamentally changed. The era of defending against simple phishing is over. We are now in an age of sophisticated, identity-centric attacks.

New research from Guardz, corroborated by our own intelligence, confirms that identity-based attacks surged by 127% in the last year. These are not opportunistic attacks; they are targeted campaigns.guardz

State-sponsored actors like APT28 and APT29 are no longer just targeting networks. They are specifically weaponizing the collaborative features of Google Workspace against you, turning your own tools into attack vectors.

Your Google Workspace tenant is likely vulnerable right now. The default settings prioritize collaboration, not a hardened security posture. This guide provides the emergency 8-step defense plan you must implement today.

A security flowchart showing the 8-step defense plan to protect Google Workspace from the 127% surge in identity-based attacks.

The New Threat Landscape: Why Your Old Defenses Are Failing

The core problem for administrators is that the nature of the threat has shifted faster than the defenses. What worked last year is now dangerously inadequate.

Attack Vector2025 Threat DataYour Immediate Problem
OAuth Exploitation56% of all identity attacks guardz​.Your employees are granting malicious apps a permanent, API-based key to your company’s data.
Legacy Authentication89% of brute-force attempts target it guardz​.This outdated protocol allows attackers to bypass MFA completely, making password spraying highly effective.
MFA Bypass23% success rate against SMS guardz​.Your SMS-based multi-factor authentication provides a false sense of security; it’s a speed bump, not a wall.
Dormant Admin Accounts67% of organizations have at least one guardz​.You have “ghost” administrators with full privileges, left over from former employees, waiting to be exploited.

Expert Quote: “In 2025, the Google Workspace perimeter is not your network; it’s the individual identity of each user and the permissions granted to each application. The battle has moved from the firewall to the OAuth consent screen.”

The primary attack surface is no longer your network edge. It’s the web of interconnected apps, legacy protocols, and human trust that defines your modern workspace.

Your 8-Step Emergency Defense Plan

These are not suggestions; they are immediate, mandatory actions to harden your Google Workspace tenant against the current wave of identity attacks.

Step 1: Perform an Emergency OAuth App Audit (30 Minutes)

The Problem: Your users have connected dozens of third-party apps to their Google accounts over the years. Many of these are forgotten, unvetted, and have excessive permissions to read emails and access files.

The Fix:

  1. Navigate to your Google Admin console > Security > API controls > App access control.
  2. Review every single application listed. Ask one question for each: “Is this business-critical?”
  3. RED FLAG: Look for apps with vague names, those requested by only one or two users, or apps that have been unused for over 90 days.
  4. Immediately “Remove access” for any suspicious or non-essential application. This severs the connection and revokes the token instantly.

Step 2: Disable Legacy Authentication (1 Hour)

The Problem: Legacy authentication protocols (like Basic Authentication for mail clients) do not support MFA. Attackers know this and use these endpoints specifically to bypass your modern security controls.

The Fix:

  1. In your Admin console, go to Security > Access and data control > Less secure apps.
  2. Select the option to “Disable access to less secure apps for all users.”
  3. Impact Analysis: This will break older applications (like old mail clients on mobile devices). This is a feature, not a bug. The security gain is worth the operational cost of migrating users to modern, OAuth2-based apps.

Step 3: Mandate Phishing-Resistant MFA for All Admins (2 Hours)

The Problem: Your administrators are “super users.” A compromised admin account is a game-over scenario. SMS-based MFA is not strong enough to protect them from sophisticated phishing or SIM-swapping attacks.

The Fix:

  1. Purchase FIDO2-compliant hardware security keys (like YubiKey) for every user with administrative privileges.
  2. In the Admin console, go to Security > Authentication > 2-Step Verification.
  3. Under “Allowed methods,” select “Security Keys only” for your administrator organizational unit (OU).
  4. This makes it physically impossible to log in as an admin without the hardware key, neutralizing the risk of MFA bypass. This is a core tenant of our Password Security Beginner Guide.

Step 4: De-Provision All Dormant and Orphaned Accounts (1 Hour)

The Problem: Your organization has a digital graveyard of old accounts from former employees and forgotten service accounts. Many of these still have active permissions, and some may even have administrative rights.

The Fix:

  1. Run a report of all users who have not logged in for the past 90 days.
  2. Cross-reference this list with your HR records. Immediately suspend and schedule for deletion any accounts belonging to former employees.
  3. Audit all service accounts. If you cannot identify the owner or business purpose of a service account, disable it. It’s better to deal with a temporarily broken integration than a breached admin account.

Step 5: Harden Google Drive Sharing Policies (30 Minutes)

The Problem: Your default Drive sharing settings are likely too permissive, allowing users to create publicly accessible links. This is a primary vector for silent data exfiltration.

The Fix:

  1. In the Admin console, go to Apps > Google Workspace > Drive and Docs > Sharing settings.
  2. For your top-level organizational unit, change the “Link sharing” option from “On” to “On with warning” or, for higher security, “Off.”
  3. Disable the ability for users to share files with personal Gmail accounts.
  4. This forces users to share files with specific, named individuals, creating an audit trail and preventing accidental public data leaks.

Step 6: Enable AI-Powered Ransomware Detection

The Problem: While identity attacks are the entry point, they often lead to ransomware. Attackers who gain access to a user’s account can use Drive for desktop to encrypt files, which then sync to the cloud.

The Fix:

  1. Google has recently rolled out AI-powered ransomware detection in Drive. This is not on by default for all tiers.workspace.google
  2. In your Admin console, verify that this feature is enabled. It uses behavioral analysis to detect suspicious file activity.
  3. Configure the automated response to “Halt sync and notify user” if ransomware-like activity is detected. This can contain an attack before it spreads across your entire Drive instance. This aligns with our broader AI Cybersecurity Defense Strategies.

Step 7: Implement Proactive Monitoring of Admin Actions

The Problem: You cannot defend against what you cannot see. Most organizations only review admin logs after an incident has occurred.

The Fix:

  1. Set up daily alerts in the Admin console’s audit logs for high-risk activities.
  2. Key Alerts to Configure: “Admin role created,” “User’s password changed by admin,” “2-Step verification disabled,” and “Data export initiated.”
  3. Assign a security team member to review these alerts every morning. This shifts your posture from reactive to proactive. For more on this, see our Incident Response Framework Guide.

Step 8: Conduct Targeted Security Awareness Training

The Problem: Your employees are your last line of defense against OAuth attacks. They need to be trained to spot the new generation of threats.

The Fix:

  1. Go beyond generic phishing training. Create specific training modules on OAuth consent screens.
  2. Show your employees examples of legitimate vs. malicious consent screens.
  3. Teach them to look at the requested permissions. Does a simple document-signing app really need access to their entire Gmail and Calendar?
  4. Run simulation exercises using a tool that mimics a malicious OAuth app request.

Expert Quote: “The human firewall is your most important asset, but it requires continuous updates. In the age of AI and OAuth, you can’t just teach people not to click links; you have to teach them not to grant permissions.”

Conclusion: Your Immediate Priority

The threat against Google Workspace is no longer passive; it is active, targeted, and identity-driven. The 127% surge in attacks is a clear signal that your existing defenses are not enough. Follow these 8 steps today to harden your environment. Then, make continuous identity security and the principles of Zero Trust your number one priority.

To assess your organization’s current identity risk posture, use our Data Breach Simulator tool to model the impact of a compromised account.

The BC Threat Intelligence Group

SOURCES

  1. https://www.hackthebox.com/blog/writing-incident-response-report-template
  2. https://sliet.ac.in/national-cyber-security-awareness-month-october2025-cyber-security-tips/
  3. https://www.sentinelone.com/cybersecurity-101/cybersecurity/cyber-security-best-practices/
  4. https://www.sisainfosec.com/blogs/10-cybersecurity-best-practices-in-the-age-of-ai-2025/
  5. https://purplesec.us/learn/incident-response-best-practices/
  6. https://www.picussecurity.com/how-to-improve-alert-management
  7. https://www.snapcomms.com/blog/cyber-security-notification-templates
  8. https://carbidesecure.com/resources/top-7-cybersecurity-best-practices-to-follow-2025/
  9. https://pg-p.ctme.caltech.edu/blog/cybersecurity/best-practices-for-cybersecurity
  10. https://www.coursera.org/articles/cybersecurity-best-practices
  11. https://guardz.com/blog/the-new-front-line-identity-threats-targeting-google-workspace-in-2025/
  12. https://workspace.google.com/blog/identity-and-security/how-guide-defending-against-malware-and-phishing-attacks

About Ansari Alfaiz

View all posts by Ansari Alfaiz →