I serve as the part-time Google Admin for a half-dozen school districts across the country. Most of the schools I serve are smaller districts with limited internal IT resources. A few weeks ago, I was asked to triage a Google Workspace phishing situation that compromised an administrator account. 

Fortunately, we were able to minimize the threat with little/no damage done. All is well! Now that the crisis is over, I spent some time reviewing the situation to better understand what happened and how we can prevent this issue from happening again. 

AiTM Attack: not your average phishing scam 😲

1. Point of Attack – The attacker gained entry using a highly sophisticated “spear-phishing” campaign. The initial email was sent from a compromised account from a nearby school district. Because the sender was legitimate, it bypassed our internal email security filters. The attacker hid a malicious link inside a legitimate Zoom webinar link, ensuring the trap felt entirely authentic to the user.

Here’s a screenshot of the actual Google Workspace phishing page that was used to harvest user credentials:

2. Bypassing Two Factor Authentication – The attacker used a sophisticated “Adversary-in-the-Middle” (AiTM) proxy attack to bypass two factor authentication which WAS enabled for the user. An AiTM attack uses a proxy to send legitimate login information back and forth between the user and the login service (Google), stealing the information as it is being entered. Finally, the attacker intercepts the login cookie which confirms a successful login, gaining full access to the user’s account. The user is completely unaware that anything unusual is taking place as they are able to successfully access their account as expected.  

I’ve dealt with simple phishing attacks like this in the past. We reset the user password, talk to them about entering their credentials into suspicious looking web pages, and move on. That’s what I did in this situation as well, but the next day, we saw hundreds of suspicious emails being sent from the compromised users account. Resetting the user password did NOT revoke account access by the attackers! 

3. Persistent Access – Once inside the account, the attacker established a quiet “backdoor” to maintain persistent access to the user’s account by hijacking the iOS account manager access token. This legitimate service is used by nearly all Mac users to connect their Google Account to MacOS via a persistent access token. Because this token operates via background APIs rather than the standard web login screen, the attacker maintained control of the account even after we reset the user’s password and cleared their active web cookies.

At this point we started to get a bit nervous as our first attempts to restore user access were unsuccessful. We were able to trace the issue to the iOS Account Manager which we immediately disabled for the district (to the great disappointment of all Mac users!).

4. Final Solution – To completely sever the attacker’s access and close the backdoor, we had to move beyond standard password resets:

• Revoke Application Access: We manually revoked the compromised user’s connection to “iOS Account Manager.” This application is legitimate, but the attackers had used it to establish persistent access to the user’s account
• Global Block: We were unsure if any other users had been compromised, so we temporarily blocked access to all third party APIs. This was done as a preventive measure to prevent the attacker from replicating their attack on other users. 
• Session Reset: With the backdoor closed, we forced a final reset of the user’s login cookies to permanently evict the attacker.

Four ways to protect your district from a AiTM attack 

Prevention is your best deterrent! Here are five things that you can do to prevent this situation from happening in the first place: 

1. Educate users about phishing attacks. This is your first line of defense. If something seems off, don’t proceed! Here’s a good thread with some training platforms recommended by the K12sysadmin group on Reddit.
2. Manage staff access to third party APIs. We now explicitly authorize access to third party applications to better secure access to user data. 
3. Upgrade your 2FA method to security keys or passkeys which are resistant to AiTM attacks.
4. Master the investigation tool to triage critical issues. This feature is available for all Google Workspace domains. EDU Plus customers receive premium features that are very helpful in incidents like this.
5. Use context-aware access to further secure account access. This is a premium feature that can limit account access to an IP range, geographic location, type of device, etc. 

Now let’s explore some strategies and tools that I used to investigate and understand what was happening in real-time.

Strategies and tools for responding to a Google Workspace phishing attack

Google Workspace phishing attacks are very common and will likely impact every single district at some point. By sharing my process, I hope you will pick up some ideas and strategies that will help you secure your domain.  

There were two primary tools that I used to investigate, mitigate, and respond to this situation in real time: 

• Investigation tool – available in the Google Admin console. This resource lets you examine detailed logs of user actions and domain activity. All domains have access to the investigation tool, however EDU plus domains will have access to additional features. 
• Google Gemini – the logs and reports that the investigation tool generates can be very complex. I used Gemini to review and analyze these complex reports to make sense of large amounts of data. Gemini was incredibly helpful at analyzing IP addresses and very detailed time-stamps to identify the source of the breach. 

I spent several days investigating and trying to make sense of this attack. Here are four investigations that proved to be helpful:

1. Understanding the threat – we quickly identified and eliminated the malicious email, but I wanted to know exactly how it worked. I used the investigation tool to find and download a copy of the malicious email which I uploaded to Gemini for analysis. Gemini was able to identify the specific URL which was being used to harvest user credentials. Gemini also indicated the likely use of Tycoon 2FA software which is a well-known, and highly sophisticated Adversary-in-the middle attack (AiTM) which bypasses 2FA authentications. This context was very helpful in understanding the type of threat and response that was required. This particular attack used URL cloaking to prevent IT admins (like me) from accessing the credential-harvesting URL. The only way I was able to get the malicious URL was through my Gemini analysis.  

2. Identify the Impact – armed with the malicious URL and an understanding of the seriousness of the situation, I used the investigation tool to identify users who HAD visited the URL and immediately required password reset. Fortunately, this search revealed that only 2 users had made it to the credential harvesting page.

3. Detailed log analysis – as I explained above, resetting the passwords of the impacted user wasn’t enough. We continued to see suspicious activity in the days that followed the initial incident. This was quite concerning, so I used the investigation tool to export a detailed report of login-activity for the affected user. This report contained more than 50 rows of data which would have been very challenging to analyze manually. I uploaded this log data to Gemini which was able to quickly identify suspicious login based on IP address and login time. This information led to the discovery of the use of a legitimate oAuth token to maintain access to the user account despite our initial efforts.  

4. Monitor for suspicious activity – Once we eliminated the threat, I was concerned that the attackers would try to regain access to the users account. I asked Gemini to suggest an alert that would help me monitor suspicious activity for critical users. Gemini recommended two alerts which are now in place: 

• New oAuth grants – triggers an alert to IT admins if the affected user authorizes a new application with pervasive user permissions. 
• Monitor for Suspicious Logins & Failures – monitors traditional login failures due to an incorrect password or failed 2FA challenge. 

I can honestly say that without Google’s investigation tool and Gemini’s support, managing this situation would have been nearly impossible. Hackers are becoming increasingly crafty and sophisticated which means that IT admins need top-notch tools to prevent AND respond to the inevitable situation that will arise. 

Responding to a breach is exhausting; I much prefer helping districts harden their defenses before the link is ever clicked. If you’re not sure where your gaps are, let’s chat! You might be a candidate for a ​security audit​ or to become one of my ​managed-service clients​.

Learn more:

• ​Understanding the Tycoon 2FA MiTM attack​
• ​Solve the case with the investigation tool​
• ​Google Workspace upgrade options​
• ​Data sources for the security investigation tool​
• ​Is it time for a Google Domain Audit?