The threat landscape has shifted.
See what MSPs need to know in 2026. Download Now
Back to blog

The New Front Line: Identity Threats Targeting Google Workspace in 2025 

A digital illustration features the Google logo on a shield at the center, surrounded by binary code, technology icons, and the text Research Insights on a translucent banner, highlighting 2025 identity threats. The background is dark purple.
Still have questions before choosing a plan?
Talk to a real human. No forms. No waiting. No Slack account needed.
Chat with us

No Slack account needed.

What’s Really Changing in Google Workspace 

In the trenches of Google Workspace (GWS) security, the past year has been a wake-up call for defenders. The shift from broad phishing campaigns to targeted identity-based attacks is palpable. Identity is now the front line of Google Workspace security, and attackers are exploiting trust, not just technology.

Google Workspace environments are facing an unprecedented threat landscape in 2025, with identity-based attacks increasing by 127% year-over-year and OAuth exploitation emerging as the dominant attack vector. This analysis reveals critical security gaps affecting organizations using Google Workspace, with immediate action required across multiple threat vectors.

Key findings indicate that legacy authentication protocols remain active in 89% of credential stuffing attacks. Advanced persistent threat groups, particularly APT28 and APT29, have developed sophisticated techniques specifically targeting Google Workspace administrative functions and service account infrastructures.

Critical vulnerabilities identified include dormant administrative accounts maintaining excessive privileges in 67% of the reviewed environments, external Drive sharing abuse increasing by 56% annually, and multi-factor authentication bypass techniques achieving a 23% success rate against SMS-based implementations. Organizations require immediate tactical responses, including auditing OAuth applications, disabling legacy protocols, and deploying FIDO2 security keys for administrative accounts.

Why Identity Has Become the New Battleground

Organizations worldwide are experiencing an unprecedented surge in sophisticated identity-based attacks targeting Google Workspace environments. As companies increasingly rely on cloud collaboration platforms for critical business operations, threat actors have adapted their methodologies to exploit the inherent trust relationships and extensive permissions within these ecosystems. MSPs are right in the middle of this challenge as the Google administrators and owners of security roadmaps.

The emergence of advanced OAuth exploitation techniques, combined with traditional credential-based attacks, has created a complex threat landscape requiring immediate attention from security professionals.

Recent threat intelligence indicates an increase in OAuth-based attacks against Google Workspace in 2025, representing a fundamental shift in adversary tactics. These attacks leverage legitimate platform features to establish persistent access while operating below traditional detection thresholds. 

The sophistication of current campaigns demonstrates a deep understanding of Google Workspace architecture and security controls, necessitating comprehensive identity threat detection and response strategies.

How Attackers Are Adapting Faster Than Defenders

OAuth Abuse: The New Phishing

Modern campaigns employ sophisticated consent phishing techniques that far exceed traditional email based social engineering. Threat actors now deploy legitimate appearing applications that request minimal initial permissions before gradually escalating scope through incremental consent flows. The rise of OAuth abuse isn’t just a technical footnote. For MSPs, it means shadow IT apps can quietly become the biggest insider risk without traditional alerts firing.

A table shows OAuth attack types and their projected 2025 incidents: Basic Consent Phishing (847), Enhanced Scope Manipulation (623), Service Account Integration (456), Cross-Service Authorization (312).

Authentication Evolution: When MFA Isn’t Enough

Multi-factor authentication bypass methodologies have evolved significantly, with adversary-in-the-middle attacks showing 76% year-over-year growth. Current campaign analysis reveals varying success rates depending on authentication implementation:

  • SMS and voice verification methods show 23% bypass success rates
  • Authenticator applications demonstrate 8% bypass vulnerability
  • FIDO2 security keys maintain less than 1% bypass rates

SIM swapping campaigns specifically targeting Google Workspace users have increased by 45% in 2025, with attackers achieving an average compromise time of 2.3 hours from a successful SIM swap to a complete account takeover. Finance personnel and executive users represent 67% of the targeted individuals in these campaigns. 

Not all MFA is created equal. What looks like ‘MFA coverage’ on a compliance checklist can still be a red carpet for attackers. For MSPs, this means SMS-based MFA might not be true protection, but rather a liability.

A table compares MFA methods by 2025 attack volume, threat level, and business impact. SMS/Voice and Legacy Basic Auth are critical risks; Authenticator Apps are high, and FIDO2 Keys are low risk with minimal impact.

The Hidden Risk of Legacy Authentication

Analysis of global incident data reveals that more than 81% of credential stuffing attacks against Google Workspace specifically target basic authentication protocols. Organizations maintaining legacy authentication demonstrate 340% higher compromise rates compared to OAuth-only environments. The average progression from a successful basic authentication compromise to a complete account takeover spans a few hours, indicating rapid operationalization by attackers.

Geographic Threat Intelligence and Actor Attribution

Current threat intelligence reveals distinct geographic patterns in Google Workspace targeting methodologies. Russian-based threat actors primarily focus on OAuth abuse and administrative privilege escalation techniques, accounting for 21.2% of observed attacks. These campaigns demonstrate a sophisticated understanding of Google Workspace administrative console functionality and the exploitation of organizational hierarchy.

A table shows cyberattack data by region: Russia (21.2%, OAuth abuse, Admin escalation), Nigeria (18%, BEC, Social engineering), China (15.1%, Data exfiltration, APT), North Korea (11.9%, Crypto theft), Iran (9%, Gov/defense), Others (24.8%).

Data Leaks and Drive Abuse 

External Sharing Exploitation Patterns

External sharing abuse represents a critical vulnerability in current Google Workspace environments, with a 56% increase in malicious external sharing link creation observed in 2025. Attackers create legitimate-looking external sharing configurations that persist for an average of 43 hours before being detected by security teams.

Data exfiltration attempts demonstrate strong temporal patterns, with 82% of incidents occurring outside standard business hours to avoid detection. These campaigns leverage automated Drive API access through compromised OAuth applications to systematically extract organizational data without triggering traditional sharing alerts.

Data isn’t leaking through firewalls anymore, it’s walking out the front door via ‘legitimate’ sharing. Attackers are exploiting collaboration tools the way users do, just faster and at scale. This is why context-aware monitoring matters.

A table shows five types of sharing abuse with incident counts for Q3 2025: Malicious External Links (1,234), Compromised Shared Drives (789), Public Link Abuse (567), Drive API Exploitation (445), Bulk Download Attacks (334).

Gmail Security Exploitation 

Email Forwarding and Rule Manipulation

Email forwarding rule manipulation occurs in 78% of successful email-based attacks against Google Workspace environments, with attackers implementing automatic forwarding to external addresses as their primary persistence mechanism. These configurations typically remain undetected for extended periods due to insufficient monitoring of administrative email settings.

The quietest backdoor in Google Workspace isn’t malware, it’s a forwarding rule. By the time IT notices, months of sensitive mail may already be archived outside the org. MSPs need to treat mailbox rules as critical identity signals.

Table showing Gmail exploitation methods and attack counts: Auto-Forward Rule Creation (1,567), Malicious Filter Deployment (1,234), Calendar Invitation Phishing (892), Inbox Rule Manipulation (678), External SMTP Forwarding (543).

Security Gaps

The Danger of Dormant Accounts 

Dormant administrative accounts pose significant security vulnerabilities, with 67% of compromised dormant accounts retaining administrative privileges from their last active period. The average dormancy period before exploitation spans 147 days, with 89% of attacks occurring within 72 hours of account reactivation.

Dormant accounts aren’t just clutter, they’re ticking time bombs. Attackers know MSPs rarely audit stale admins, so the quickest path to privilege escalation often comes from yesterday’s forgotten account.

Table showing account status categories, counts, and risk levels. Dormant Admin Accounts: 234 (Critical), Inactive Service Accounts: 456 (High), Suspended User Retention: 123 (Medium), Orphaned OAuth Grants: 789 (Critical), Stale Group Memberships: 1,234 (High).

Future Threat Predictions and Intelligence

Emerging Attack Vector Analysis

A table lists predicted cybersecurity threat vectors with columns for emergence timeline, estimated impact, technical complexity, and mitigation difficulty. Threats include manipulation, social engineering, and identity chaining, mostly rated as critical and high risk.

At Guardz, our research team tracks identity-based threats daily so MSPs don’t have to. We believe the future of cloud security isn’t about more dashboards, but about smarter, user-centric detection and response. Let’s look a bit into the future to predict where these threats are headed.

Authentication context manipulation represents a predicted threat vector expected to emerge in Q4 2025. These attacks will exploit contextual authentication decisions within Google Workspace by manipulating environmental factors that influence access control decisions. Initial intelligence suggests a high potential for success against current conditional access implementations.

AI-assisted social engineering campaigns targeting Google Workspace administrative consent flows are predicted to emerge in Q1 2026. These operations will combine generative artificial intelligence for convincing executive impersonation with technical OAuth exploitation techniques, creating highly effective hybrid attack methodologies.

Identity federation exploitation represents a predicted threat vector targeting federated identity provider relationships in Q4 2025. These attacks will exploit trust relationships between identity systems to gain unauthorized access to Google Workspace environments through compromised external identity providers.

How MSPs Can Stay Ahead of the Curve (GWS Best Practices)

Enforce Multi-Factor Authentication (MFA)

Configure 2-Step Verification for all user accounts in the Admin console. Require hardware security keys (FIDO2) for administrators and privileged users. Disable SMS-based verification to reduce SIM swap risk.

Enable Passkeys and Device-Bound Session Credentials 

Activate passkey authentication for user accounts to eliminate password-based phishing attacks. Deploy DBSC to bind session tokens to physical devices, preventing session hijacking via stolen cookies.

Apply Least Privilege and Role-Based Access Control

Audit all user roles and group memberships in Google Admin. Assign only necessary privileges to users and service accounts. Use Team Drives for shared data with granular access controls. Remove unused accounts and stale permissions regularly.

Control Third-Party App Integrations

Restrict OAuth access to Google Workspace APIs. Create an allowlist for approved third-party apps in the Admin console. Block access to “less secure apps” and monitor for shadow IT using App Access Control reports.

Secure Endpoints

Require device compliance checks for mobile and desktop access. Enforce disk encryption, automatic updates, and screen lock policies on all endpoints. Use Endpoint Verification to monitor device health and enforce access policies.

Final Thoughts

Our research into Google Workspace threats isn’t just about tracking statistics. It’s about anticipating what comes next and helping MSPs stay ahead. Guardz will continue to share insights like these so our partners can protect what matters most: their people, their clients, their data, and their growth

Categories:
Research Unit
  • Share On:

Subscribe to
Our Newsletter.

Continue Reading

A digital dashboard shows a list of users, with one dormant hybrid account highlighted in red and marked with an error icon. A callout reads “MFA not registered.” The background is dark with geometric patterns.

Uncovering a Dormant Hybrid

Beyond News
A digital diagram showing a central IP address connecting to various icons labeled Key Vault, Storage Account, Graph, and API—demonstrating Azure Managed Identity usage—with warning symbols near the API. Research Insights is highlighted at the top left.

Exploiting Azure Managed Identity Tokens from IMDS

Cyber Security
MSP
Logos of Guardz and C-Data are shown side by side with a plus sign between them, on a dark background with green circuit-like lines, highlighting a partnership in cybersecurity solutions for MSPs.

Guardz and C-Data Partner to Bring Scalable Cybersecurity to MSPs Serving the SMB Market

Cyber Security
MSP
A person in a futuristic chair sits at a high-tech control panel, looking out at a starry space scene with planets and mountains. The dashboard glows with colorful buttons and screens, like the perfect single post template for exploring new worlds.

Guardz, Your Cybersecurity
Co-Pilot for MSPs

Demonstrate the value you bring to the table as an MSP and gain visibility into your clients’ external postures.

Get Started
Holistic Protection.
Hassle-Free.
Cost-Effective.
Get Started
Book a Demo
Slack
Slack
Chat with us No Slack account needed.