Skip to content

Password Spraying Protection

  • enforce MFA
  • audit logs for unusual patterns or failed login attempts
  • limit access to sensitive endpoints - use IP allowlists
  • use strong, unique passwords
  • train against phishing

Enforcing MFA

  • Admins in Google Workspace can do it
  • During user onboarding - this is disabled. Could be an issue if not re-enabled.
    • ![[Attachments/Pasted image 20260304160651.png]]

Detection

  • Google Workspace - User Log Events audit log
    • looking for repeated failed login attempts - same IP or same user
  • Workspace can share its audit logs with GCP via Cloud Logging
    • this will enable filtering, detection, alerting and powerful insights
  • Log ingestion delays:
    • Oauth, login events might take hours
    • user account changes - 10 mins
    • SecOps customers get a reduced delay as it uses an internal delivery pipeline.
    • ![[Attachments/Pasted image 20260304162738.png]]
  • Login attempts are classified as Data access events by google
    • use below log query
    • ![[Attachments/Pasted image 20260304163343.png]]
  • User agent
    • ![[Attachments/Pasted image 20260304162100.png]]

Identify targeted users

  • ![[Attachments/Pasted image 20260304163719.png]] 
    $ gcloud logging read \ 'logName="organizations/208451827211/logs/cloudaudit.googleapis.com%2Fdata_access"' \
AND protoPayload.methodName="google.login.LoginService.loginFailure" \
 --billing-project=gr-prod-1 \
 --organization=208451827211 \
 --format=json \
 --freshness=7d \
 --limit=10000 > login_failures.json

$ jq -r '.[].protoPayload.authenticationInfo.principalEmail' login_failures.json \
 | grep -v null \
 | sort | uniq -c | sort -nr > targeted_users.txt

Identifying weak passwords

  • password123 is weak but Password123 is fine.
  • Admins can review password strength in GWorkspace via user reports.
  • Admin should also try password spraying to ensure no weak passwords are present.

Context-Aware Access

  • ![[Attachments/Pasted image 20260304193527.png]]

OPSEC Considerations

  • Google Risk scores every login attempt using ML risk engine.
    • it looks at the device, network, user behavior and could trigger extra challenges
  • ![[Attachments/Pasted image 20260304163945.png]]