Google Groups is a tool used to send emails to groups of people using a group name in the Gmail “To:” bar. Senders can write an email and type the name of the group they would like to send the email to; Google Groups then checks the list of emails associated with that group and sends the email to them. This allows for the convenient distribution of information within a team or organization.
Bad actors can utilize these groups to conduct a targeted and proliferated phishing attack on a collection of people in the same group. These groups are often named in a manner that gives the attacker clues as to the type of message that should be sent to increase the chances that a recipient will click on a link or open a package within the email.
Universities and organizations that use Google Workspace must take precautions when using this tool. Utilizing proper configurations is key to ensuring such an attack does not occur. One such configuration is disabling public access to a group. If a Google group is meant to be accessible only to a select number of users, make sure that the group is made private. This will prevent the group from auto-populating when users outside the group type it into the “To:” bar. This prevents attackers from being able to send emails to that group through the Google Groups feature.
One setback to that approach could be if a Google Group is being used for an org box. For example, if IT has a Google Group for IT help, when a user emails the group, any member of the IT team in that group can see the email and respond. Due to the nature of that use case, the group cannot be made private because people outside the group need to be able to see and email it. Organizations must be aware that the threat of phishing attacks becomes greater to their group and use strict phishing mitigation techniques such as not opening any links or attachments from an unknown sender when using these tools.
All in all, the Google Groups feature is convenient for organizations, but it is convenient for bad actors as well. Organizations must educate themselves on the threats posed by this tool and prepare their users accordingly.