Cybercriminals recently bypassed the email verification step in the account creation flow for Email Verified (EV) Google Workspace accounts, according to a recent Google security notice.

To exploit this flaw, attackers used a specially crafted request during account setup. The flaw allowed them to create accounts associated with official domains, such as info@example.com, without proper verification, enabling attackers to impersonate legitimate domain owners.

Anu Yamunan, Director of Abuse and Safety Protections at Google Workspace, told KrebsOnSecurity:

The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token. Once they were email verified, in some cases we have seen them access third party services using Google single sign-on.

Google claims it fixed the problem within 72 hours after discovery and has added additional detection to protect against these types of authentication bypasses going forward.

Some services offer visitors the option to sign in with their Google, Twitter, LinkedIn, or Microsoft credentials. This is generally not advisable, as criminals who gain control over the “parent” account can access all linked accounts.

In this case, the attackers exploited domains that had not been previously associated with Workspace accounts or services. They may have aimed to impersonate victims within organizations to access shared documents and gather information. Some users reported suspicious sign-ins to apps like Dropbox, which allow Google account sign-ins.

KrebsOnSecurity reported that “a few thousand” Google Workspace accounts were created without proper domain verification.

Additional actions

Google has blocked the suspicious accounts, and if your domain was impersonated, you should have received a security notice about the incident.

If you received this notice, inform your organization’s security or IT staff so they can check for any suspicious activity involving your accounts.

Administrators with access to DNS configuration who do not have legitimate existing Google Workspace accounts can release their domain from existing Google Workspace services by using the domain in use tool. Once completed, administrators can secure their domain by immediately signing up for domain-verified Google Cloud services, including Cloud Identity Free.

Administrators may also want to take over central administration of existing Google Workspace accounts to claim their domain and control both domain verification and account management.

Additionally, consider turning off Google Sign-In for authentication in any apps where you have used this option, to prevent unauthorized access in the future.

Some helpful links for administrators managing accounts that were affected by this email verification bypass:

• Manage single sign-on settings for Slack.
• How to verify your domain for Google Workspace.
• How to add recovery information for admins and users.
• How to manage Dropbox account settings.