← Back to blogCybersecurity

Chinese Hackers Exploit Google Workspace to Steal Sensitive Information: What Does This Mean for Your SMB?

By Assist2go2 July 2026

Source: The Hacker News

Introduction: A New Threat to Your Business Data

Cybercrime is evolving at a rapid pace, posing a constant threat, especially to small and medium-sized businesses (SMBs). Recently, a new method has been discovered where Chinese hackers leverage legitimate Google Workspace features to gain access to sensitive information. This is not a targeted attack on large corporations alone; the method can also potentially affect SMBs that rely on cloud-based services.

It is therefore crucial to understand how this attack works and what steps you can take to protect your business.

How the Attack Works: Clever Exploitation of Trusted Systems

Chinese hackers have developed an advanced method to steal sensitive data, specifically targeting organizations with access to Google Workspace. This attack group, which reportedly has ties to the Chinese state, managed to maintain unnoticed access to the networks of medical, academic, and military research institutions in North America for over a year. Their target?

Sensitive research and defense-related emails.

The first step in their strategy was gaining access. They achieved this by exploiting a vulnerability in so-called REDCap research servers. Through these servers, the attackers managed to steal login credentials.

This gives them the key to the system.

The way the data was subsequently exfiltrated is particularly sophisticated and concerning. Instead of using traditional data exfiltration methods, the hackers modified the affected organizations' own Google Workspace rules. By reconfiguring these rules, they were able to ensure that any email meeting specific criteria was automatically copied to an external location they controlled.

This occurred subtly and could go unnoticed by victims for a long time, as it appeared to be normal system behavior.

What makes this so dangerous is the use of legitimate functionality. Google Workspace rules are designed to automate processes and increase productivity, for example, by automatically forwarding, archiving, or labeling emails. The hackers exploit this legitimate functionality for their own purposes.

This makes detecting the attack significantly more difficult, as the actions are not immediately recognized as malicious.

The hackers were thus able to collect large amounts of sensitive information, such as research results and communications vital for national security. The fact that they were already doing this last year demonstrates how long this advanced threat has been present and how effective it can be.

What Does This Mean for Your SMB?

Although the news report discusses large research institutions, the implication for SMBs is far-reaching and direct. Many small and medium-sized businesses heavily utilize cloud-based services like Google Workspace for their daily email communication, document storage, and collaboration. The vulnerability demonstrated here can therefore apply to any business, regardless of size.

For SMBs, this means that the way they organize their information security needs to be re-evaluated. The attack shows that even advanced defense mechanisms can be bypassed if hackers cleverly utilize the functionalities you already have in use. This underscores the importance of proactive security measures.

Your emails and documents may contain sensitive business information that is of great value to competitors or malicious actors. Consider this: customer data, financial reports, product developments, or strategic plans. If such an attack can be successful, it could lead to:

  • Loss of competitive advantage due to sensitive information leaks.
  • Financial damage from theft of business information or loss of customer trust.
  • Reputational damage, making it harder to attract new customers.
  • Legal issues, especially if personal data is involved and GDPR regulations are violated.

The good news is that measures are available that are practical and affordable for SMBs as well. It is not necessary to implement an entirely new security system. Often, a few strategic adjustments and increased vigilance are sufficient to significantly reduce the risks.

Concrete Steps for Better Security

To protect your SMB from such attacks, it is important to act proactively. The method described here exploits automation rules within Google Workspace. Although monitoring all rules can be complex, there are specific steps you can take to enhance security.

First and foremost, it is essential to maintain a strong password policy. This means not only unique passwords for all employees but also considering length and complexity limitations. Two-factor authentication (2FA), which requires an additional verification step beyond the password, is one of the most effective measures against unauthorized access, even with stolen credentials.

Limit user privileges within Google Workspace to only what is strictly necessary. Not everyone needs to be able to change global settings. By restricting privileges, you reduce the chance that a compromised account can be used to create or modify malicious rules.

Regularly audit who has what permissions.

Train your employees in cybersecurity awareness. Often, the first steps toward a hack involve social engineering, such as clicking a malicious link or opening a suspicious attachment. An employee trained to recognize these types of attacks is the first line of defense.

Keep your systems and applications up-to-date. This also applies to the services you use, such as Google Workspace. While Google itself guarantees the platform's security, it is important that you keep your own settings and access secure.

Specifically targeting the attack method used here, it is important to regularly check your Google Workspace configuration, especially the email routing and automation settings. Be alert for unexpected or incomprehensible rules created or modified by users. Setting up audits and logs can help detect aberrant behavior more quickly.

Conclusion

The discovery of Chinese hackers exploiting Google Workspace rules to steal sensitive data is a wake-up call for SMBs. It underscores that cybersecurity is not a luxury but an absolute necessity. The attack method is cunning, uses existing functionality, and can lead to severe consequences for your business.

By implementing strong password practices, two-factor authentication, limiting user privileges, regular employee training, and actively monitoring system configurations, you can significantly enhance your organization's resilience. Take steps today to protect your valuable business data from this growing threat.

**Want to learn more? ** Also see how Assist2go can help with the right IT service for your business.

Share this article

LinkedIn Facebook https://assist2go.nl/en/blog/chinese-hackers-exploit-google-workspace-steal-sensitive-information-smb

Need help with IT?

Assist2go helps SMEs with reliable IT, hosting, and security.

Contact us

Related articles