When 30 Google Workspace accounts picked up hidden email aliases overnight.
A persistence-by-alias pattern that hides in plain sight in the Google Workspace admin console, and the Admin SDK Apps Script that cleaned it up in under a minute.
Draft — coming soon.
Incident response notes for a Google Workspace tenant where roughly thirty user accounts turned up with unauthorized secondary email addresses added to their profiles. The addresses weren’t visible in the default admin-console user view — you had to click into each account individually to see them, which is exactly how an attacker would want it.
This post walks through detection (what tipped us off), containment (why you don’t just delete the aliases immediately), the Admin SDK Apps Script that audited and scrubbed every account in one pass, and the monitoring change that would have caught it a week earlier.
Fully anonymized. No client, no tenant, no individual identifiable.