GWS - Phishing Alert Spike Across Multiple Users
GWS Alerts Phishing Spike
Query
GWSAlerts_CL
| where Source == "Gmail phishing" or AlertDataType endswith "MailPhishing"
| extend User = tostring(AlertData.email)
| summarize Users = make_set(User, 100), AlertCount = count(),
FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated)
by bin(TimeGenerated, 1h)
| where array_length(Users) >= 5
| mv-expand User = Users to typeof(string)
| project TimeGenerated, FirstSeen, LastSeen, AlertCount, UserExplanation
This query is designed to detect a potential phishing campaign targeting multiple users within a Google Workspace environment. Here's a simplified breakdown:
-
Purpose: The query identifies instances where five or more distinct users receive phishing-related alerts within a one-hour period. This pattern suggests an active phishing campaign affecting the organization.
-
Severity: The alert is classified as "Medium" severity, indicating a moderate level of concern.
-
Data Source: The query relies on data from Google Workspace, specifically looking at alerts related to Gmail phishing.
-
Frequency and Period: The query runs every hour and examines data from the past hour.
-
Detection Logic:
- It filters alerts to include only those related to Gmail phishing.
- It extracts the email addresses of users who received these alerts.
- It counts the number of distinct users affected and the total number of alerts.
- It checks if five or more distinct users were affected within the same hour.
- If the condition is met, it expands the list of users and projects relevant details like the time of the alert and the number of alerts.
-
Incident Handling: If the query conditions are met, it creates an incident. The incident configuration allows for grouping related alerts and specifies that closed incidents should not be reopened.
-
Mapping: The query maps the detected users to an "Account" entity type for further analysis.
-
Techniques and Tactics: The query is associated with the "Initial Access" tactic and techniques T1566.001 and T1566.002, which relate to phishing.
Overall, this query helps security teams quickly identify and respond to potential phishing attacks targeting multiple users in a short timeframe.
Details

David Alonso
Released: May 7, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 1h
Period: 1h