Since 2012, Google has been alerting individual Google account users if they suspect their account has been targeted by government-backed attackers using any number of phishing- or malware-based methods (malicious attachments, scripts embedded in files, dodgy links). This August update now offers these alerts to G Suite administrators as well so they can take action to protect their users.
In the case of suspected government-backed activity on an organization’s G Suite account, an email alert would go directly to the G Suite super admins – not the user. From there, the admins can then choose what to do with that information: Bolster security on that user’s account, share the information with other team members, and/or warn the user directly.
Google notes that “less than 0.1% of all Gmail users” receive a notification of potential government-backed attacks on their accounts, and the notification is not sent in real-time. Google also takes pains to note that:
- Their suspicion of an attack could very well be a false alarm.
- Google will not name the specific methods they’ve detected that could be triggering the alarm.
- Google will not attempt to attribute the attack to any party, government or nation.
In any case, since the notifications are light on details and aren’t sent in real-time, users and admins alike may be left scratching their heads wondering what exactly triggered this warning. This could be frustrating for G Suite administrators who might want this information to understand what kinds of targeted attacks are coming their organization’s way. However, Google argues that the end result is the same regardless of whether you’re a user or an admin: Take additional precautions to secure user accounts.
So what should you do if you are one of the extremely small percentage of users or admins who encounter this warning? After resetting the password, if you haven’t yet enabled two-factor authentication, it’s a very good next step to take.
Both individual and G Suite users can also opt to enroll in Google’s free Advanced Protection program, which offers above-and-beyond protections for users who might be frequent targets of government ire or potential meddling, like political candidates, reporters or activists. (To give you an idea of how this works, Advanced Protection has these users start with buying two physical security keys as a replacement for more standard 2FA tokens.)
Any admins wishing to enable this alert should log in to their G Suite console, click Reports, then Manage Alerts, and enable the “Government-backed attack” option, which is off by default. Google notes that this feature is rolling out to all G Suite admins over a 15 day period starting on 1 August, so if you don’t see the option just yet, it should be available soon.