Elastic Security Detection Rules

Google Workspace Object Copied from External Drive with App Consent

Last updated 10 days ago on 2026-06-15
Created 3 years ago on 2023-03-07

About

Detects when a user copies a Google document, spreadsheet, form, or script from an external Drive into their Workspace Drive and shortly after authorizes a custom Google OAuth application. Adversaries may send spearphishing links with a /copy URI parameter so the victim replicates a malicious object locally. Container-bound Apps Script can then execute on open and prompt the user for OAuth consent, granting the attacker's application access to Workspace data.
Tags
Domain: CloudData Source: Google WorkspaceTactic: Initial AccessTactic: ExecutionTactic: PersistenceLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Phishing (T1566)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

User Execution (T1204)(external, opens in a new tab or window)

Persistence (TA0003)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

False Positive Examples
Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their Drive. It is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-google_workspace.*
Related Integrations

google_workspace(external, opens in a new tab or window)

Query
text code block:
sequence by source.user.email with maxspan=3m
[file where data_stream.dataset == "google_workspace.drive" and event.action == "copy" and

    /* Should only match if the object lives in a Drive that is external to the user's GWS organization */
    google_workspace.drive.owner_is_team_drive == false and google_workspace.drive.copy_type == "external" and

    /* Google Script, Forms, Sheets and Document can have container-bound scripts */
    google_workspace.drive.file.type: ("script", "form", "spreadsheet", "document")]

[any where data_stream.dataset == "google_workspace.token" and event.action == "authorize" and

    /* Ensures application ID references custom app in Google Workspace and not GCP */
    google_workspace.token.client.id : "*apps.googleusercontent.com"]

Install detection rules in Elastic Security

Detect Google Workspace Object Copied from External Drive with App Consent in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).