What to do if you spot an unauthorized member in your Google Groups

We recently had a situation at JupiterOne which triggered curiosity in members of our security team. A Google Group, used as a distribution list, had a surprise member. Who needs coffee when you can use such surprises to heighten your awareness levels?

That surprise member was visible only from the Direct and Indirect Members that, but clearly identified as a Direct member. On top of that, the suspicious user was an external account, such as wile.e.coyote@acme.example.com. Note that the line on which the user is listed is grey.

As the group was configured to never accept external members, this was quite concerning.

Did someone find a way to trick Google Groups into adding them to internal groups? Are our groups not configured properly? All of these questions were racing through our heads.

First, using the JupiterOne Google Workspace integration, we searched for any group that would have our suspicious coyote as a member. No results were found, not even the group which we visually confirmed as supposedly having that member. At this point, we were starting to feel like the odds of this being a misunderstanding or a bug were much higher than the odds of this being a security issue.

FIND google_group THAT HAS google_user WITH email = 'wile.e.coyote@acme.example.com'

‍

‍

Then, to be safe, we identified every group that allows external members using this query. It only returned groups for which this is allowed by design, showing we didn’t have a problem with rampant group misconfigurations.

FIND Configuration WITH allowExternalMembers=true 

‍

From that moment, it seemed clear that the suspicious canine was not a true member, and did not have access to the group, but why was it listed as a member?

After contacting Google Support and replicating the issue reliably on our side, we have confirmed that banning a sender from a Google group will cause them to show up in the Direct and Indirect Members tab. The only hint to them not being a real member is the fact that the line they’re on is gray in the UI.

So if you see a surprise member in one of your groups:

1. Check what color the line its own is.
2. Confirm your group configuration does not allow external members.
3. Check that this email address is not present in your graph for google_group.

If all of the above checks out, you have simply received a free jolt of adrenaline cause by a scary user interface, but you have learned a bit more about how you can use JupiterOne to track Google Groups. Why not set an alert for groups that allow external members while we’re at it?

Create an alert using the following query, replacing exclusions with email addresses of groups that allow external members by design:

FIND Configuration WITH email!="exclusion_1_would_go_here" AND email!='exclusion_2_would_go_here' AND email!='exclusion_3_would_go_here' AND allowExternalMembers=true

‍

You will now be alerted when unexpected groups have this setting configured to the riskier mode.

I hope this blog post has helped you learn a thing or two about Google Groups and JupiterOne, including our integration for Google Workspace.

If you came here Googling for how a random external account could show up on one of your groups, your stress level should have significantly dropped after realizing that you probably do not have a security incident to deal with.

‍