Regional Services Platform’s Google Workspace Hijacked; Blackpanda IR-1 Shuts It Down

‍

Containing a Google Workspace Account Hijack at a Regional Services Platform from September to October 2025

At a glance

• ‍Customer: IR-1 subscriber — regional online services platform (APAC)‍
• Environment: Google Workspace (Gmail, Google Ads, OAuth), Mac endpoints, Android mobile devices‍
• Attack type: Single-account compromise, account abuse, malicious Google Ads creation, mailbox manipulation‍
• Initial vector (assessed): Compromised credentials + unauthorised Android device registration, likely via VPN anonymisation
• Blackpanda services: IR-1 rapid response, Google Workspace forensics, endpoint triage, dark-web credential review, security recommendations

‍

CHALLENGE

A single hijacked account with outsized risk

The incident started with what looked like a “small” issue: one user saw suspicious login alerts and unfamiliar Google Ads activity in their Google Workspace account.

Initial internal checks revealed:

• Repeated logins from IPs in Taiwan and Japan, inconsistent with the user’s normal location.
• An unfamiliar Android device registered to the account.
• A new Google Ads campaign pointing to suspicious sites hosted on Zoho Sites.
  

On paper this was “just one account”, but the business quickly realised the implications:

• Was this an isolated hijack or the first sign of a wider compromise?
• Were customer or internal data exposed via Gmail or Google Drive?
• Were the rogue ads abusing their brand or creating financial / regulatory exposure?
  

As an IR-1 customer, the company triggered Blackpanda’s hotline to get answers fast — without losing days to procurement or scoping.

For readers, Blackpanda’s Google Admin security checklist provides practical controls you can apply today to your own Google Workspace admin environment.

Cloud-only, identity-driven attack

This incident lived almost entirely in the cloud:

• The earliest confirmed suspicious event was 01 September 2025, when an unauthorised Android device was registered to the user’s Google Workspace account immediately after a login from a Japan IP.
• That device remained active for weeks, with persistent access from a Taiwan VPN IP on 22 September, 02 October and 16 October 2025.
  

From those sessions, the attacker:

• Authorised Zoho Accounts,
• Created multiple Google Ads campaigns for suspicious Zoho Sites subdomains, and
• Interacted with and deleted Zoho-related emails from the mailbox.
  

In contrast, forensic review of the user’s corporate Mac showed only:

• Normal Gmail usage, including viewing Zoho welcome and evaluation emails.
• A Google search for “Zoho Sites”.
• No evidence of phishing, malicious downloads, or suspicious browsing.
  

So the core challenge was clear: the endpoint was clean, the identity was not.

For organisations dealing with similar alerts, Google’s own guidance on investigating suspicious account activity is a useful first reference.

Unknown data exposure and widespread leaked credentials

Data and identity exposure were top of mind:

• Google Takeout logs showed no evidence of bulk data exports from the account, and no malicious OAuth apps beyond the rogue Android device.
  

However, Blackpanda’s dark-web review found numerous leaked credentials for email addresses on the client’s domains in combolists and stealer logs over the previous 18–24 months.

While no direct link to this specific account could be proven, it highlighted a systemic risk: password reuse and credential stuffing against cloud identities.

Separately, logs revealed Zoho submitting DMARC aggregate reports for the client’s primary domains. DNS checks confirmed that DMARC policies were not set to “quarantine” or “reject”, making it easier for spoofed emails to pass and harder to enforce strong email authentication.

Leadership needed to know:

• Was this a targeted attack or opportunistic abuse?
• Did the attacker get beyond this one Google Workspace account?
• What concrete steps would prevent a repeat across other users?
  

For background on why DMARC matters, see this neutral overview of DMARC email authentication.

‍

SOLUTION

1. IR-1 activation and rapid triage

Because the client was on Blackpanda IR-1, they did not need a new SOW in the middle of an incident. On 27 October 2025, they activated the hotline and Blackpanda initiated a focused investigation.

Initial actions:

• Scoped the incident to the affected Google Workspace account while checking for similar activity across other users.
• Pulled Google Workspace security logs (logins, device registrations, OAuth, Google Ads changes) for that user.
• Collected Gmail interaction records tied to the unauthorised Android session, focusing on Zoho-related emails and deletion activity.
• Performed a forensic triage of the user’s Mac, ruling out endpoint compromise (no malware, no suspicious browser artefacts, no malicious OAuth grants).
  

This confirmed the incident was identity-centric, not a host-based compromise.

Teams interested in similar investigative work can learn more about Blackpanda’s digital forensics services.

2. Reconstructing the attack path inside Google Workspace

Using Google logs and device records, Blackpanda built a clear timeline:

Initial entry — 01 September 2025

• Login from a Japan IP.
• Immediate registration of an unknown Android device to the account using password + device prompt.
• Likely scenario: compromised credentials plus a user-approved (or hijacked) device prompt.
  

Persistence via Android and VPN IPs

• Recurrent logins from a Taiwan VPN IP and another IP in the US.
• The Android device maintained an active session throughout September and October.
  

Abuse of Google services (02–09 October 2025)

• OAuth authorisation to Zoho Accounts.
• Creation of Google Ads campaigns pointing to multiple suspicious Zoho Sites subdomains.
• Gmail logs showing the Android session reading and deleting Zoho-related emails, including welcome and evaluation messages.
  

Containment — 16 October 2025

• The unauthorised Android device was removed and blocked.
• After revocation, suspicious logins and mailbox activity stopped, indicating that cutting off that device severed attacker access.
  

No evidence indicated lateral movement into other user accounts or systems.

3. Validating data-theft and financial-misuse risk

To tackle concerns around data theft and financial misuse:

• Google Takeout logs were reviewed for signs of bulk export; none were found.
• OAuth grants were examined; aside from Android enrolment and Zoho authorisation, no suspicious third-party apps were discovered.
• Gmail logs distinguished actions from the attacker-controlled Android device versus normal user actions on the Mac.
  

Blackpanda concluded:

• The attacker focused on account abuse for advertising / potential ad-fraud or phishing infrastructure, not mass data theft.
• There was no evidence of Google Drive exports, Takeout data pulls, or large-scale mailbox downloads.
• No other accounts exhibited similar patterns, reducing the likelihood of a broader compromise.

4. Dark-web credential review and root-cause assessment

Blackpanda correlated the account compromise with known dark-web credential leaks involving the client’s domains. Over the past 18–24 months, multiple corporate addresses and passwords had appeared in various stealer logs, though none could be conclusively tied to this user.

A realistic root-cause hypothesis emerged:

• Attackers likely obtained valid credentials via credential stuffing or reuse of leaked passwords.
• Using those credentials, they logged in from foreign IPs, successfully passed MFA once (via device prompt), and established persistent access via the Android device.
  

Blackpanda communicated this as a probable root cause, stressing that leaked credential exposure must be treated as an ongoing strategic risk for all cloud identities.

For readers who want to go deeper, OWASP provides a good primer on credential stuffing attacks.

5. Concrete containment and hardening steps

Together with the client, Blackpanda implemented and recommended:

Immediate containment

• Forced password reset for the compromised account.
• Blocked and remotely wiped the suspicious Android device.
  

People

• Targeted security awareness training for staff on:
  • Unusual login prompts and device approvals,
  • Risks of adding corporate accounts to unmanaged personal devices,
  • Safe usage of third-party SaaS integrations such as Zoho.
    

Process

• Stronger account and session-management policies in Google Workspace:
  • Approval workflows for new device registrations.
  • Alerts and reviews for high-risk sign-ins (foreign IPs, VPNs, impossible travel).
  • Regular compromise assessments and dark-web credential monitoring for corporate domains.
    

Technology

• Implementing DMARC enforcement (quarantine / reject) on primary domains, supported by Blackpanda’s educational guide on SPF, DKIM and DMARC.
• Reviewing and restricting where corporate Google accounts can be used (for example, requiring managed / MDM-enrolled devices for high-risk roles).
  

To see how Blackpanda uses darknet scanning as part of incident response, read how Blackpanda deploys darknet scanning in IR.

‍

RESULTS

1. Confirmed: a contained, single-account incident

Blackpanda’s investigation gave the client a clear answer: the incident was limited to one Google Workspace account and one attacker-controlled Android device, with no evidence of spread to other users or systems.

This delivered:

• Reassurance for leadership that this was not a network-wide compromise.
• An authoritative narrative for internal audits, partners and regulators.
• Avoidance of unnecessary, costly over-reactions such as mass account resets or service shutdowns.

2. Faster resolution thanks to IR-1

Because the customer was on IR-1:

• Response began immediately after suspicious activity was reported — no procurement dead time.
• The engagement followed a pre-agreed playbook and SLA, with clear expectations on timing and deliverables.
• Internal teams could stay focused on operations while Blackpanda handled log analysis, forensics and risk assessment.
  

Fewer days of uncertainty, and a faster return to normal.

3. Evidence-based view of data and financial risk

Instead of guessing about potential damage, the client received a balanced, evidence-based view:

• No evidence of data exfiltration via Google Takeout or large-scale exports.
• Abuse focused on Google Ads and Zoho integrations, with no sign of wider financial fraud or misuse of additional accounts.
• Clear mapping of which emails and actions originated from the hijacked Android session.
  

This allowed the company to calibrate external communications and incident reporting to what actually occurred.

4. Stronger identity and email posture

The engagement left the services platform with a focused improvement roadmap:

• Tighter Google Workspace device and session controls.
• Plans to enforce DMARC (quarantine / reject) on core domains.
• Increased employee awareness about login prompts, device enrolments and corporate-on-personal device risks.
• Use of dark-web credential monitoring as a standing input into identity-security decisions.
  

A relatively small incident became the trigger for a broader uplift in identity and email security.

5. Demonstrated value of IR-1 — cost-efficiency snapshot

Beyond technical outcomes, this incident also highlighted the economic value of IR-1.

• The client held a 500-endpoint IR-1 subscription.
• At an indicative IR-1 price of USD 15 per endpoint per year, their annual subscription cost was roughly:
  • 500 endpoints × USD 15 = USD 7,500.
• The incident required around 85 hours of incident response work. At a reference ad-hoc IR rate of USD 500 / hour, a similar one-off engagement would cost approximately:
  • 85 hours × USD 500 = USD 42,500.
    

Under this simple comparison, a single 85-hour incident could have cost the client about USD 42,500 on a traditional hourly basis — over five times their annual IR-1 subscription for 500 endpoints. That implies an illustrative saving of roughly USD 35,000 (about 80% less spend) versus a comparable ad-hoc engagement, before even accounting for additional readiness benefits.

All pricing figures above are indicative examples only and are subject to change at any time.

To explore subscription tiers and pricing, visit Blackpanda’s incident response subscription plans.

6. IR-1 for cloud-first incidents

This case underscores that:

• Not every serious incident involves ransomware or on-prem malware; cloud identity events can be just as risky.
• An IR-1 subscription means your team can activate specialists immediately, gain clarity fast, and avoid the paralysis that comes with “something weird” in logs but no clear plan.
  

If you suspect a live incident today, you can report a cyber incident or talk to us about IR-1 coverage for your organisation.

‍

FAQ: Google Workspace Account Hijacks and IR-1

Q1. How did the attacker gain access to the Google Workspace account?

While the exact credential source could not be conclusively proven, evidence shows the attacker used valid credentials from foreign IPs, then enrolled an unauthorised Android device and used it for ongoing access. Combined with extensive leaked credentials for the client’s domains on the dark web, the most likely scenario is credential reuse or credential stuffing plus a successfully approved device prompt.

Q2. Was any data exfiltrated from Gmail or Google Drive?

Blackpanda reviewed Google Takeout logs and found no evidence of bulk exports or large-scale data downloads. Gmail and OAuth records showed no malicious third-party apps beyond Zoho authorisation and the Android enrolment. The attacker appears to have focused on running ads and manipulating specific emails, not mass data theft.

Q3. Why did the attacker delete Zoho-related emails from the mailbox?

Gmail interaction logs showed that Zoho-related emails, including welcome and evaluation messages, were deleted by the attacker-controlled Android session shortly after being received. This is consistent with an attempt to hide sign-up and usage trails for Zoho Sites and Google Ads, making the activity less obvious to the legitimate user.

Q4. How did Blackpanda confirm the Mac endpoint was not compromised?

Blackpanda performed a forensic review of the user’s Mac, examining browser history, downloads, email interaction and local artefacts. The findings showed only legitimate email viewing and a Google search for “Zoho Sites”, with no phishing artefacts, suspicious downloads or malicious browsing, indicating that the attack was confined to the cloud account and unauthorised Android device.

Q5. What were the key security improvements recommended after the incident?

Key recommendations included:

• Enforcing DMARC (quarantine / reject) on corporate domains.
• Tightening Google Workspace device and session controls, including alerts and approvals for new device registrations and high-risk logins.
• Providing security awareness training on MFA prompts and personal-device risks.
• Implementing dark-web credential monitoring and regular compromise assessments.

‍

What this means for you

If your organisation runs on Google Workspace, a single compromised account can be enough to expose customer communications, spend ad budgets, and damage your brand — without any malware ever touching a laptop.

Blackpanda’s IR-1 service is designed for exactly these moments: rapid, expert triage; clear answers on scope and impact; and a practical roadmap to harden your cloud environment — while keeping overall incident-response costs predictable and tightly controlled.

To discuss how IR-1 can protect your organisation, start an IR-1 enquiry or contact our team.