TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

The Identity Breach You Didn’t Know You Had: Google Workspace

2026-02-12 · Read original ↗

ATT&CK techniques detected

10 predictions
T1525Implant Internal Image
80%
"saas integrations that extend identity trust across platforms application changes bring attack changes because these attack vectors target sessions and tokens that are created after authentication, attackers don ’ t even need the victim ’ s password or 2fa codes. in real - world …"
T1078.004Cloud Accounts
78%
"the identity breach you didn ’ t know you had : google workspace why attackers now treat your inbox like an identity control plane for years, security teams treated google workspace like a productivity layer - email, documents, chat, calendars, and not much else. lock down spam f…"
T1078.004Cloud Accounts
78%
"identity for : - password resets and recovery flows across saas apps - mfa code delivery and verification links - oauth - based integrations and api access - financial approvals, vendor communication, and billing workflows - third - party automation platforms and bots gmail ident…"
T1078.004Cloud Accounts
70%
"is why business email compromise ( bec ) continues to grow even as phishing defenses improve. attackers aren ’ t just sending better emails. they ’ re abusing identity infrastructure directly. why traditional security controls are falling behind most organizations still protect g…"
T1525Implant Internal Image
69%
"grant long - term access - alternate access paths bypass user visibility these actions don ’ t look like malware. they look like normal user configuration changes, which is exactly why they often go undetected. attackers don ’ t need to install anything. they simply reconfigure t…"
T1111Multi-Factor Authentication Interception
48%
"is why business email compromise ( bec ) continues to grow even as phishing defenses improve. attackers aren ’ t just sending better emails. they ’ re abusing identity infrastructure directly. why traditional security controls are falling behind most organizations still protect g…"
T1528Steal Application Access Token
39%
"saas integrations that extend identity trust across platforms application changes bring attack changes because these attack vectors target sessions and tokens that are created after authentication, attackers don ’ t even need the victim ’ s password or 2fa codes. in real - world …"
T1525Implant Internal Image
38%
"the identity breach you didn ’ t know you had : google workspace why attackers now treat your inbox like an identity control plane for years, security teams treated google workspace like a productivity layer - email, documents, chat, calendars, and not much else. lock down spam f…"
T1556.006Multi-Factor Authentication
33%
"is why business email compromise ( bec ) continues to grow even as phishing defenses improve. attackers aren ’ t just sending better emails. they ’ re abusing identity infrastructure directly. why traditional security controls are falling behind most organizations still protect g…"
T1078.004Cloud Accounts
32%
"##auth consent abuse - saas lateral movement - mailbox configuration manipulation - persistence mechanisms this is exactly the kind of visibility modern itdr platforms are built to provide — connecting identity telemetry with behavioral detection and human - led response. at hunt…"

Summary

Most Google Workspace breaches go undetected for weeks. See how attackers exploit misconfigured permissions and what to look for before it is too late.