{
	"id": "62e3bb2e-9775-4408-aaf1-dd730ae4a52b",
	"created_at": "2026-04-06T00:19:14.989799Z",
	"updated_at": "2026-04-10T03:30:33.468958Z",
	"deleted_at": null,
	"sha1_hash": "7876e0f81f3a5e43b81244d7fae4427df4b94249",
	"title": "Google Workspace Malicious App Script analysis (english only)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1118897,
	"plain_text": "Google Workspace Malicious App Script analysis (english only)\r\nBy OWN\r\nPublished: 2024-04-25 · Archived: 2026-04-05 23:09:19 UTC\r\nIn this article, OWN-CERT presents a study at App Script, a development platform for creating add-ons to Google\r\nservices used by the enterprise or automating certain actions. Through an example of persistence techniques using\r\nApp Script, will illustrate the compromise chain by an attacker and the analyst's investigation possibilities. We\r\nwill also explore methods for collecting and analyzing logs, along with ways to identify these malicious actions,\r\neither manually or through custom detection rules, to enhance detection and response capabilities.\r\nExecutive Summary\r\nGoogle Workspace is a cloud platform designed to facilitate collaboration and communication among individuals,\r\noffering a variety of services including App Script, a development platform for creating add-ons to Google\r\nservices used by the enterprise or automating certain actions.\r\n• App Script becomes a critical service to investigate for identifying malicious activities on the platform following\r\nan account compromise.\r\n• Real-time detection is feasible, and numerous events can serve as indicators of suspicious behaviors that analysts\r\nshould verify.\r\n• Understanding the threat, potential techniques, and investigation methods is crucial for quickly responding to an\r\nattacker: collecting logs, parsing them, and knowing what to look for.\r\nIn this article, an example of persistence techniques using App Script will illustrate the compromise chain by an\r\nattacker and the analyst's investigation possibilities. We will also explore methods for collecting and analyzing\r\nlogs, along with ways to identify these malicious actions, either manually or through custom detection rules, to\r\nenhance detection and response capabilities\r\nIntroduction to Google Workspace\r\nhttps://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis\r\nPage 1 of 16\n\nGoogle Workspace is a comprehensive suite of online tools developed by Google to promote collaboration and\r\ncommunication within businesses, universities, associations, and even for individuals. The suite includes various\r\napplications for communicating via email or instant messaging, managing calendars and organizing video\r\nconferences, storing and sharing files...\r\nGoogle Workspace attracts businesses by offering various subscription plans with different levels of functionality\r\ndepending on the chosen model, catering to startups, SMEs, or large corporations.\r\nMany security measures are available within the environment and can be activated by administrators to secure\r\naccounts and services. These include enhancements in:\r\n• User account security: 2FA (Two-Factor Authentication), password policy management, login session control,\r\nuse of contextual access rules.\r\n• Email security with options to activate restrictive measures on senders, creation of filtering rules, management of\r\nquarantine zones.\r\n• File management including automatic content analysis and application of appropriate policies based on criticality\r\nlevel, protection against data leaks.\r\nAnd what interests us most in the context of our blog post: the logs.\r\nMany events performed on the platform generate logs which are stored online without the ability for a user,\r\nwhether he is an administrator or not, to alter them by modifying or deleting them.\r\nAs a result, security teams can establish monitoring based on these sources to detect malicious behaviors within\r\nthe cloud environment and respond to alerts in real-time, whether they are automatically generated by Google via\r\nthe alert center (such as reclassification of emails as spam, device compromise detection...) or by security tools\r\ninstalled by the company like SIEM (Security Information and Event Management).\r\nhttps://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis\r\nPage 2 of 16\n\nCompromise scenario\r\nIn the case of a compromise of a Cloud account, an attacker may recover the password using several methods,\r\nincluding the reuse of stolen credentials obtained through infostealers, a method that has been widely employed\r\nfor some time.\r\nIn our scenario, we will play both the role of the attacker, by compromising an account and carrying out malicious\r\nactions, as well as the role of the security analyst, who will analyze the compromised account to identify\r\nmalicious actions through the generated events.\r\nWe can hypothesize a compromise of a personal computer from which the employee logged into their professional\r\naccount to check emails and documents. Once compromised by an infostealer, the credentials were exfiltrated via\r\na log collection platform and then resold to other parties.\r\nPreview of stolen credentials rendered by an infostealer in an exfiltrated log file.\r\nFollowing the detection of a suspicious login from outside, log collection and analysis were performed on the\r\nsuspicious account to understand what happened and implement remediation measures. We used the \"GW\r\nForensic\", an internal tool published on our GitHub to collect and analyze Google Workspace logs. The tool is\r\navailable at this link: https://github.com/ownsecurity/GWForensic/.\r\nWe save time through the automatic collection and indexing of logs within the OpenSearch tool. The analyst can\r\nfocus on searching for malicious traces guided by the initial automated review of events by GW Forensic.\r\nConfiguration used in this scenario:\r\nhttps://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis\r\nPage 3 of 16\n\nLaunching GW Forensic with the detailed configuration above.\r\n- Suspicious login\r\nBy filtering on the \"login\" service, we found 3 related events during the incident timeframe:\r\nhttps://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis\r\nPage 4 of 16\n\nEvents related to the \"login\" service on the account john.doe.\r\nA connection was made to the account john.doe@gwforensic.cloud at 17:29:55+02:00 from 173.44.36[.]176,\r\nlocated in Miami (USA) and owned by a free VPN company, while the user is located and working in France. A\r\nreauthentication occurred 22 minutes later at 17:51:37+02:00, followed by a disconnection at 18:23:11+02:00.\r\n- File download\r\nShortly after the malicious login, we observed several accesses to documents located on the Drive as well as the\r\ndownload of numerous files:\r\nSignificant volume of documents downloaded from Drive.\r\nhttps://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis\r\nPage 5 of 16\n\nGW Forensic automatically tagged these events as a potential exfiltration technique \"Exfiltration Over Web\r\nServices\".\r\nUpon analyzing the documents on the collaborator's Drive, we found that the majority came from a folder named\r\n\"pki-master\":\r\nFolder \"pki-master\" on the Drive of user john.doe.\r\nDownloading a folder on Google Drive (right-click \u003e Download) creates a ZIP file containing all the files and\r\nfolders for the user. However, in the Workspace logs, this action generates a download event for each file, hence\r\nthe significant volume observed on the graph.\r\n- Set up of a malicious script\r\nWe notice the creation, through the \"change_user_access\" modification event, of a file named \"Projet sans Titre\"\r\nreferring to a Google App Script:\r\nFile details.\r\nhttps://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis\r\nPage 6 of 16\n\nIt is renamed within the following minute to \"curriculum_vitae.txt\" to blend in with other files.\r\nActions on the script.\r\nSeveral edits are made to the file until 18:13:49+02:00. Alongside these actions, the logs from the \"token\" service\r\nin Google Workspace indicate an \"authorize\" event related to the script name \"curriculum_vitae.txt\":\r\n\"Authorize\" event on the account of john.doe.\r\nThe event, annotated here as the \"Credential Access\" tactic, corresponds to granting permission to an\r\napplication/script via an OAuth token to access user data: profile information, email action rights, calendar access\r\nrights, etc.\r\nHere, the requested accesses correspond to those needed by the script within the code.\r\nDuring the initial execution, the attacker manually authorized it to access certain services as shown in the pop-up:\r\nhttps://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis\r\nPage 7 of 16\n\nAccess request pop-up for the application \"curriculum_vitae.txt\".\r\nThe advantage for the attacker is that the access request only needs to be done once: the token is generated and\r\ncan then be reused by the application if it is not revoked.\r\nNine minutes after the last execution of the “curriculum_vitae.txt “ script, a \"create_script_trigger\" event is\r\ngenerated and classified as a persistence method in the form of a scheduled task.\r\nCreation of a scheduled task by the attacker through the circumvented use of App Script.\r\nThrough this task, the script will be able to run without notifying the user at a frequency defined by the trigger\r\nconfigured in the script project: every minute, every hour, daily, weekly, etc.\r\nIf the token generated for the application is revoked, the script execution will fail.\r\nhttps://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis\r\nPage 8 of 16\n\nAfter gaining access rights to the script (via an administrator account), it is possible to open and access the script\r\ncontent:\r\nPreview of the Google Apps Script IDE page containing the script in the file \"Code.gs\".\r\nWe notice the presence of several functions within the script file:\r\n• GetInstructions: function that retrieves instructions from a PasteBin file using the UrlFetchApp function of App\r\nScript (More information about UrlFetchApp on the Google official documentation)\r\n• SearchDrivePattern: function that searches for a pattern inside the names of files stored on the Drive\r\n• GetPath: function that returns the full path of a file\r\n• SearchGmailPattern: function that searches for a pattern inside the subject or body of emails\r\n• Main: function that calls the other mentioned functions.\r\nThe script contacts the URL configured within its “GetInstructions” function to retrieve the keywords for\r\nsearching the drive and the exfiltration method. Below is the content of the retrieved Pastebin file which\r\ncorresponds to the instructions that the script will follow:\r\nhttps://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis\r\nPage 9 of 16\n\nWe observe the following instructions:\r\n• Search for the string patterns \"project\" on the Drive service, and \"pass:\" for the Gmail service.\r\n• Exfiltration of the stolen data via email to a temporary email address.\r\nUpon analyzing the script content, the following process resembles the operation of a SaaS infostealer:\r\nInfostealer actions.\r\nhttps://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis\r\nPage 10 of 16\n\nThe information regarding files and emails is then sent to the attacker's temporary address:\r\nPreview of the email received by the attacker with the exfiltrated data.\r\nYes, the output isn't very pretty, but it's just a proof of concept! 😀\r\nIn the triggers page of the IDE, we find the scheduled task that generated the \"create_script_trigger\" event:\r\nhttps://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis\r\nPage 11 of 16\n\nPreview of the trigger configuration.\r\nRecommendations  \r\nTo protect against the abuse of the App Script functionality, there are various methods detailed below:\r\nEnable \"Advanced Program Protection\"\r\nGoogle Workspace offers the \"Advanced Program Protection\" feature (Documentation), which can be activated on\r\ndomain accounts to enhance security and prevent access to sensitive data. Enabling this feature has several\r\nconsequences, such as:\r\n• Mandatory use of 2FA (Two-Factor Authentication)\r\nhttps://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis\r\nPage 12 of 16\n\n• Additional security for browsing in the Google Chrome browser, especially regarding downloads.\r\n• Restricted access to data and services by third-party applications (via OAuth tokens)\r\nEnable third-party app filtering\r\nBy default, each user can use their Google account on third-party applications that work via Google\r\nauthentication. This allows them to grant access to their profile (name, email address) to an application for login\r\npurposes,  avoiding traditional manual registration. Some applications may also access documents in Drive, such\r\nas file conversion SaaS applications like DOCX to PDF, JPEG to PDF, etc.\r\nIt is possible to enable a filtering feature or a list of authorized applications to manually approve which\r\napplications are allowed to access domain user data. This helps reduce the use of accounts on external sites and\r\nthus the risk of illegitimate access via third-party applications. App Script scripts will be blocked by default.\r\nhttps://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis\r\nPage 13 of 16\n\nPreview of blocking third-party applications including App Script.\r\nMonitor Google Workspace events in real time\r\nIt is possible to collect Google Workspace logs and analyze them in real time to identify suspicious events for\r\ninvestigation as early as possible. There are several Workspace sources: login, token, drive, calendar, users...\r\nwhere a significant number of events could correspond to compromise risks or malicious actions.\r\nThe GW Forensic project contains documentation with use cases to monitor and suggestions for detection based\r\non existing events.\r\nMore information:  https://github.com/ownsecurity/GWForensic/\r\nIt is possible to define SIGMA detection rules to integrate into log analysis tools like the Sekoia XDR solution.\r\nOnce the Google Workspace connectors are integrated into the platform, it is possible to create SIGMA rules\r\ndedicated to Google Workspace events. In our lab, several rules have been created, including a detection rule\r\nrelated to the use of App Script:\r\nhttps://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis\r\nPage 14 of 16\n\nCustom rule \"App Script scheduled task\" on Sekoia XDR.\r\nOverview of alerts generated related to abusive use of App Script: script creation and execution\r\nscheduling.\r\nApproximately 20 SIGMA rules are currently available and free to use in the GW Forensic project documentation\r\nto assist analysts in detecting malicious behaviors in real time on Google Workspace platforms.\r\nMore information:  https://github.com/ownsecurity/GWForensic/\r\nhttps://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis\r\nPage 15 of 16\n\nSource: https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis\r\nhttps://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.own.security/ressources/blog/google-workspace-malicious-app-script-analysis"
	],
	"report_names": [
		"google-workspace-malicious-app-script-analysis"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434754,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7876e0f81f3a5e43b81244d7fae4427df4b94249.pdf",
		"text": "https://archive.orkl.eu/7876e0f81f3a5e43b81244d7fae4427df4b94249.txt",
		"img": "https://archive.orkl.eu/7876e0f81f3a5e43b81244d7fae4427df4b94249.jpg"
	}
}