* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/)
* [Playbook of the Week](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/)
* Automating Response to Un...

# Automating Response to Unauthorized Email Forwarding Activity in Google Workspace

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomating-response-to-unauthorized-email-forwarding-activity-in-google-workspace%2F)  
[](https://twitter.com/share?text=Automating+Response+to+Unauthorized+Email+Forwarding+Activity+in+Google+Workspace&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomating-response-to-unauthorized-email-forwarding-activity-in-google-workspace%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomating-response-to-unauthorized-email-forwarding-activity-in-google-workspace%2F&title=Automating+Response+to+Unauthorized+Email+Forwarding+Activity+in+Google+Workspace&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/automating-response-to-unauthorized-email-forwarding-activity-in-google-workspace/&ts=markdown)  
\[\](mailto:?subject=Automating Response to Unauthorized Email Forwarding Activity in Google Workspace)  
Link copied  
By [Arik Day](https://www.paloaltonetworks.com/blog/author/arik-day/?ts=markdown "Posts by Arik Day")  
Jan 28, 2025  
4 minutes  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Cortex](https://www.paloaltonetworks.com/blog/tag/cortex/?ts=markdown)  
[email forwarding](https://www.paloaltonetworks.com/blog/tag/email-forwarding/?ts=markdown)  
[Google Workspace](https://www.paloaltonetworks.com/blog/tag/google-workspace/?ts=markdown)  
[playbook of the week](https://www.paloaltonetworks.com/blog/tag/playbook-of-the-week/?ts=markdown)  
[security operations](https://www.paloaltonetworks.com/blog/tag/security-operations/?ts=markdown)  
[XSIAM](https://www.paloaltonetworks.com/blog/tag/xsiam/?ts=markdown)

## **Introduction**

The [Cortex XSIAM Response and Remediation Pack](https://cortex.marketplace.pan.dev/marketplace/details/CortexResponseAndRemediation/) is essential to modern security operations centers (SOCs). It enables organizations to proactively address security alerts and automate response actions in alignment with the vision of an autonomous SOC. This blog introduces the playbook **"A mail forwarding rule was configured in Google Workspace"**, designed to address risks associated with unauthorized email forwarding configurations.

## **Threat Overview**

Attackers can exploit email forwarding rules to siphon sensitive information from corporate email accounts to unauthorized destinations. These rules, especially when configured to forward emails to uncommon or suspicious domains, represent a significant security threat.

Beyond data exfiltration, attackers may use email forwarding rules as a commandand control (C2) mechanism to issue instructions or maintain persistent access to compromised accounts. Such activity may signal account compromise or insider threats and requires swift investigation and remediation.

Detecting and neutralizing these configurations is crucial to preserving organizational data integrity and preventing unauthorized access to sensitive information.

## **Purpose of the Playbook**

The **"A mail forwarding rule was configured in Google Workspace"** playbook is designed to:

* Investigate alerts related to the configuration of email forwarding rules.
* Identify potential malicious intent by analyzing caller IPs, forwarding domains, and rule configurations.
* Automate and guide response actions to contain and remediate threats.

This playbook is a vital resource for SOC teams, equipping them with the tools to efficiently and swiftly address email forwarding-related incidents. It ensures thorough oversight and documentation, enabling teams to maintain control and respond effectively to potential threats.

### Alerts Addressed by the Playbook

This playbook addresses the following alerts:

* **"A mail forwarding rule was configured in Google Workspace."**
* **"A mail forwarding rule was configured in Google Workspace to an uncommon domain."**

## **Stages of the Playbook**

The **"A mail forwarding rule was configured in Google Workspace"** playbook follows these stages:

**Triage:**

* * Retrieves the caller's IP address, forwarding email address, and filters associated with the forwarding address.

![Fig 1: Sequence in playbook showing data extraction and enrichment](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/01/word-image-333239-1-1.png)
Fig 1: Sequence in playbook showing data extraction and enrichment

**Early Containment:**

* * Check if the IP or domain of the forwarding email address is malicious.
  * Suggests blocking the IP address using PAN-OS while continuing the investigation.

![Fig 2: Playbook sequence showing early containment action blocking malicious IP](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/01/word-image-333239-2-1.png)
Fig 2: Playbook sequence showing early containment action blocking malicious IP

**Investigation:**

* * Verifies if the rule was created outside working hours or from an unusual geolocation.
  * Extracts suspicious keywords from the forwarding rule filters.
  * Aggregates all evidence collected during the investigation.

![Fig 3: Playbook sequence showing automated investigation actions](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/01/word-image-333239-3-1.png)
Fig 3: Playbook sequence showing automated investigation actions

**Containment:**

* * If a single suspicious evidence is found, it executes soft response actions, including:
    * Signing the user out of Google Workspace.
    * Deleting the forwarding email address from the user's mailbox. As a result of deleting the forwarding address, the associated forwarding rule filters will also be removed.
    * Notifying the user via email of the actions taken.
  * If multiple suspicious pieces of evidence are found, the system combines soft response actions with hard response actions, recommending the suspension of the user account. The list of detected evidence will be presented to the user in the hard response data collection task.

![Fig 4: Playbook sequence showing containment actions](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/01/word-image-333239-4-1.png)
Fig 4: Playbook sequence showing containment actions

## **Security Challenges Addressed**

This playbook addresses key challenges in managing email forwarding rule configurations:

* **Swift Detection:** Quickly identifies potentially malicious email forwarding rules.
* **Automated Containment:** Provides rapid response actions to neutralize threats.
* **Comprehensive Investigation:** Aggregates evidence and provides context to inform decisions.
* **Flexible Remediation:** The system balances automation with analyst input to ensure effective threat mitigation, providing reassurance about the adaptability of the system.

## **Conclusion**

Unauthorized email forwarding rules pose a significant security risk that requires immediate attention. The **'A mail forwarding rule was configured in Google Workspace'** playbook is a powerful tool that empowers SOC teams to efficiently detect, investigate, and remediate these threats. By leveraging the Cortex XSIAM Response and Remediation Pack, organizations can significantly enhance their incident response capabilities and protect their critical email communications.

## **Learn More**

Discover more about the Cortex XSIAM Response and Remediation Pack and its powerful playbooks on the[Cortex Marketplace](https://cortex.marketplace.pan.dev/marketplace/details/CortexResponseAndRemediation/).

*** ** * ** ***

## Related Blogs

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Automation of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/automation-of-the-week/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### A Day in the Life with Your AgentiX Automation Engineer Agent](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/a-day-in-the-life-with-your-agentix-automation-engineer-agent/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's New in Cortex](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### How Cortex Defends Against Microsoft SharePoint "ToolShell" Exploits](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/how-cortex-defends-against-microsoft-sharepoint-toolshell-exploits/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Rapid Response to CVE-2025-31324: Mitigating SAP NetWeaver Visual Composer Exploitation](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/rapid-response-to-cve-2025-31324-mitigating-sap-netweaver-visual-composer-exploitation/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### What's New for Cortex and Cortex Cloud (Apr '25)](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/whats-new-for-cortex-and-cortex-cloud-apr-25/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Automating Response to Suspicious SaaS Access From a Tor Exit Node](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/automating-response-to-suspicious-saas-access-from-a-tor-exit-node/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language