What to do if you spot an unauthorized member in your Google Groups

by

We recently had a situation at JupiterOne which triggered curiosity in members of our security team. A Google Group, used as a distribution list, had a surprise member. Who needs coffee when you can use such surprises to heighten your awareness levels?

That surprise member was visible only from the Direct and Indirect Members that, but clearly identified as a Direct member. On top of that, the suspicious user was an external account, such as wile.e.coyote@acme.example.com. Note that the line on which the user is listed is grey.

As the group was configured to never accept external members, this was quite concerning.

Did someone find a way to trick Google Groups into adding them to internal groups? Are our groups not configured properly? All of these questions were racing through our heads.

First, using the JupiterOne Google Workspace integration, we searched for any group that would have our suspicious coyote as a member. No results were found, not even the group which we visually confirmed as supposedly having that member. At this point, we were starting to feel like the odds of this being a misunderstanding or a bug were much higher than the odds of this being a security issue.

FIND google_group THAT HAS google_user WITH email = 'wile.e.coyote@acme.example.com'

Then, to be safe, we identified every group that allows external members using this query. It only returned groups for which this is allowed by design, showing we didn’t have a problem with rampant group misconfigurations.

FIND Configuration WITH allowExternalMembers=true 

From that moment, it seemed clear that the suspicious canine was not a true member, and did not have access to the group, but why was it listed as a member?

After contacting Google Support and replicating the issue reliably on our side, we have confirmed that banning a sender from a Google group will cause them to show up in the Direct and Indirect Members tab. The only hint to them not being a real member is the fact that the line they’re on is gray in the UI.

So if you see a surprise member in one of your groups:

  1. Check what color the line its own is.
  2. Confirm your group configuration does not allow external members.
  3. Check that this email address is not present in your graph for google_group.

If all of the above checks out, you have simply received a free jolt of adrenaline cause by a scary user interface, but you have learned a bit more about how you can use JupiterOne to track Google Groups. Why not set an alert for groups that allow external members while we’re at it?

Create an alert using the following query, replacing exclusions with email addresses of groups that allow external members by design:

FIND Configuration WITH email!="exclusion_1_would_go_here" AND email!='exclusion_2_would_go_here' AND email!='exclusion_3_would_go_here' AND allowExternalMembers=true

You will now be alerted when unexpected groups have this setting configured to the riskier mode.

I hope this blog post has helped you learn a thing or two about Google Groups and JupiterOne, including our integration for Google Workspace.

If you came here Googling for how a random external account could show up on one of your groups, your stress level should have significantly dropped after realizing that you probably do not have a security incident to deal with.

Guillaume Ross
Guillaume Ross

Guillaume has been a security practitioner for well over a decade, building on prior experience working in enterprise IT. He also produces technical training content as a hobby, as a way of staying sharp with recent tools and techniques. With experience in multiple cybersecurity companies, he's also worked on the blue-team side for large organizations and startups, and really enjoys challenging preconceived ideas. Why do something because everyone else is, or because we've always done it this way? Let's prove it's useful first!

Keep Reading

Introducing Continuous Controls Monitoring (CCM) | JupiterOne
November 7, 2024
Blog
Introducing Continuous Controls Monitoring (CCM)

CCM delivers real-time visibility, proactive risk management, and streamlined compliance for security.

Now Available: JupiterOne’s Public Postman Workspace | JupiterOne
October 31, 2024
Blog
Now Available: JupiterOne’s Public Postman Workspace

Explore JupiterOne’s Public Postman Workspace to streamline your workflows and enhance your security operations.

Prioritizing Exploitable Vulnerabilities to Protect Your Business Critical Assets | JupiterOne
October 16, 2024
Blog
Prioritizing Exploitable Vulnerabilities to Protect Your Business Critical Assets

Vulnerability scanners flood teams with alerts, but CTEM helps prioritize based on exploitability and business impact, ensuring focus on the most critical threats.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.