GWS - Misconfigured Email Allowlist Causing Phishing Delivery
GWS Alerts Bad Whitelist
Query
GWSAlerts_CL
| where AlertDataType endswith "BadWhitelist"
or AlertType has "Misconfigured whitelist"
| extend Domains = tostring(AlertData.domains),
Sources = tostring(AlertData.sourceIp)
| project TimeGenerated, AlertId, MetadataSeverity, AlertType,
Domains, Sources, SecurityInvestigationToolLink, AlertDataExplanation
This query is designed to detect phishing emails that have reached Gmail inboxes due to a misconfigured email allowlist, which is a security oversight that needs immediate attention. Here's a simple breakdown of the query:
- Purpose: To identify and alert on phishing emails that bypass Gmail's security because of a misconfigured allowlist.
- Severity: The issue is classified as medium severity.
- Data Source: It uses data from Google Workspace alerts, specifically looking at alerts related to "BadWhitelist" or "Misconfigured whitelist."
- Frequency and Duration: The query runs every 30 minutes and looks at data from the past 2 hours.
- Trigger: An alert is triggered if there is more than 0 occurrence of the issue.
- Tactics and Techniques: The query is associated with defense evasion and initial access tactics, specifically techniques T1566.001 (Phishing) and T1562 (Impair Defenses).
- Output: The query extracts and displays information such as the time the alert was generated, alert ID, severity, alert type, affected domains, source IPs, and a link to a security investigation tool.
- Entity Mapping: It maps URLs to a security investigation tool link for further analysis.
- Incident Creation: If the query finds relevant data, it will create an incident for further investigation.
- Version and Type: This is version 1.0.0 of a scheduled query.
Overall, this query helps security teams quickly identify and respond to phishing threats caused by misconfigured email allowlists in Gmail.
Details

David Alonso
Released: May 7, 2026
Tables
GWSAlerts_CL
Keywords
GmailPhishingInboxesAllowlistMisconfigurationDefenseEvasionGoogleWorkspaceAlertsDomainsSourcesSecurityInvestigationToolAlertDataURL
Operators
endswithhasextendtostringproject
Severity
MediumTactics
DefenseEvasionInitialAccess
Frequency: 30m
Period: 2h