Query Details
GWS Alerts Bad Whitelist
Query
id: 7a3f2c8e-1d4b-4e5a-9c2f-8b1d7e6a4f08
name: GWS - Misconfigured Email Allowlist Causing Phishing Delivery
description: |
Gmail detected phishing reaching inboxes because of a misconfigured allowlist
(BadWhitelist). Indicates a defense-evasion misconfiguration that must be
remediated immediately.
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: GoogleWorkspaceDefinition
dataTypes:
- GWSAlerts_CL
queryFrequency: 30m
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
- InitialAccess
relevantTechniques:
- T1566.001
- T1562
query: |
GWSAlerts_CL
| where AlertDataType endswith "BadWhitelist"
or AlertType has "Misconfigured whitelist"
| extend Domains = tostring(AlertData.domains),
Sources = tostring(AlertData.sourceIp)
| project TimeGenerated, AlertId, MetadataSeverity, AlertType,
Domains, Sources, SecurityInvestigationToolLink, AlertData
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: SecurityInvestigationToolLink
incidentConfiguration:
createIncident: true
version: 1.0.0
kind: Scheduled
Explanation
This query is designed to detect phishing emails that have reached Gmail inboxes due to a misconfigured email allowlist, which is a security oversight that needs immediate attention. Here's a simple breakdown of the query:
- Purpose: To identify and alert on phishing emails that bypass Gmail's security because of a misconfigured allowlist.
- Severity: The issue is classified as medium severity.
- Data Source: It uses data from Google Workspace alerts, specifically looking at alerts related to "BadWhitelist" or "Misconfigured whitelist."
- Frequency and Duration: The query runs every 30 minutes and looks at data from the past 2 hours.
- Trigger: An alert is triggered if there is more than 0 occurrence of the issue.
- Tactics and Techniques: The query is associated with defense evasion and initial access tactics, specifically techniques T1566.001 (Phishing) and T1562 (Impair Defenses).
- Output: The query extracts and displays information such as the time the alert was generated, alert ID, severity, alert type, affected domains, source IPs, and a link to a security investigation tool.
- Entity Mapping: It maps URLs to a security investigation tool link for further analysis.
- Incident Creation: If the query finds relevant data, it will create an incident for further investigation.
- Version and Type: This is version 1.0.0 of a scheduled query.
Overall, this query helps security teams quickly identify and respond to phishing threats caused by misconfigured email allowlists in Gmail.
Details
David Alonso
Released: May 7, 2026
Tables
GWSAlerts_CL
Keywords
GmailPhishingInboxesAllowlistMisconfigurationDefenseEvasionGoogleWorkspaceAlertsDomainsSourcesSecurityInvestigationToolAlertDataURL
Operators
endswithhasextendtostringproject