Cortex ITDR: Detecting Cyber Threats in Google Workspace
Palo Alto Networks, Wednesday, June 17th, 2026
Attackers are shifting from endpoints to the SaaS identity layer, and Cortex ITDR detects these Google Workspace threats.
This article examines how threat actors increasingly target Google Workspace through identity-layer attacks rather than endpoint-based malware. It walks through a realistic attack chain involving OAuth consent phishing, credential harvesting via the Drive API, persistence through Gmail forwarding rules, and administrative abuse.
Because these attacks abuse legitimate platform features and drop no malware, they are hard to detect. The authors recommend Cortex XSIAM behavioral analytics and Identity Threat Detection and Response capabilities, correlating signals like unusual OAuth authorizations and admin changes.