Query Details

GWS - Misconfigured Email Allowlist Causing Phishing Delivery

GWS Alerts Bad Whitelist

Query

GWSAlerts_CL
| where AlertDataType endswith "BadWhitelist"
     or AlertType has "Misconfigured whitelist"
| extend Domains = tostring(AlertData.domains),
         Sources = tostring(AlertData.sourceIp)
| project TimeGenerated, AlertId, MetadataSeverity, AlertType,
          Domains, Sources, SecurityInvestigationToolLink, AlertData

Explanation

This query is designed to detect phishing emails that have reached Gmail inboxes due to a misconfigured email allowlist, which is a security oversight that needs immediate attention. Here's a simple breakdown of the query:

  • Purpose: To identify and alert on phishing emails that bypass Gmail's security because of a misconfigured allowlist.
  • Severity: The issue is classified as medium severity.
  • Data Source: It uses data from Google Workspace alerts, specifically looking at alerts related to "BadWhitelist" or "Misconfigured whitelist."
  • Frequency and Duration: The query runs every 30 minutes and looks at data from the past 2 hours.
  • Trigger: An alert is triggered if there is more than 0 occurrence of the issue.
  • Tactics and Techniques: The query is associated with defense evasion and initial access tactics, specifically techniques T1566.001 (Phishing) and T1562 (Impair Defenses).
  • Output: The query extracts and displays information such as the time the alert was generated, alert ID, severity, alert type, affected domains, source IPs, and a link to a security investigation tool.
  • Entity Mapping: It maps URLs to a security investigation tool link for further analysis.
  • Incident Creation: If the query finds relevant data, it will create an incident for further investigation.
  • Version and Type: This is version 1.0.0 of a scheduled query.

Overall, this query helps security teams quickly identify and respond to phishing threats caused by misconfigured email allowlists in Gmail.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GmailPhishingInboxesAllowlistMisconfigurationDefenseEvasionGoogleWorkspaceAlertsDomainsSourcesSecurityInvestigationToolAlertDataURL

Operators

endswithhasextendtostringproject

Severity

Medium

Tactics

DefenseEvasionInitialAccess

MITRE Techniques

Frequency: 30m

Period: 2h

Actions

GitHub