CINXE.COM

<!doctype html><html lang="en-US" dir="ltr"><head><base href="https://cloud.google.com/blog/"><link rel="preconnect" href="//www.gstatic.com"><meta name="referrer" content="origin"><meta name="viewport" content="initial-scale=1, width=device-width"><meta name="track-metadata-page_hosting_platform" content="blog_boq"><meta name="mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="application-name" content="Google Cloud Blog"><meta name="apple-mobile-web-app-title" content="Google Cloud Blog"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="msapplication-tap-highlight" content="no"><link rel="preconnect" href="//fonts.googleapis.com"><link rel="preconnect" href="//fonts.gstatic.com"><link rel="preconnect" href="//www.gstatic.com"><link rel="preconnect" href="//storage.googleapis.com"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Google+Sans+Text_old:400,500,700,400i,500i,700i"><link rel="manifest" crossorigin="use-credentials" href="_/TransformBlogUi/manifest.json"><link rel="home" href="/?lfhs=2"><link rel="msapplication-starturl" href="/?lfhs=2"><link rel="icon" href="//www.gstatic.com/cloud/images/icons/favicon.ico" sizes="32x32"><link rel="apple-touch-icon-precomposed" href="//www.gstatic.com/cloud/images/icons/favicon.ico" sizes="32x32"><link rel="msapplication-square32x32logo" href="//www.gstatic.com/cloud/images/icons/favicon.ico" sizes="32x32"><script data-id="_gd" nonce="wC7T6QA8MeKpUedWZ2V6dQ">window.WIZ_global_data = {"Bwo7Jf":"%.@.\"SG\",1]","CGQM5":"%.@.[[1]]]","DpimGf":false,"EP1ykd":["/_/*","/accounts/*","/transform","/transform/*"],"FdrFJe":"-1056603711853451149","Im6cmf":"/blog/_/TransformBlogUi","JvMKJd":"%.@.\"GTM-5CVQBG\",[[\"en\",\"\\u202aEnglish\\u202c\",true,\"en\"],[\"de\",\"\\u202aDeutsch\\u202c\",true,\"de\"],[\"es\",\"\\u202aEspañol\\u202c\",true,\"es\"],[\"es-419\",\"\\u202aEspañol (Latinoamérica)\\u202c\",true,\"es-419\"],[\"fr\",\"\\u202aFrançais\\u202c\",true,\"fr\"],[\"id\",\"\\u202aIndonesia\\u202c\",true,\"id\"],[\"it\",\"\\u202aItaliano\\u202c\",true,\"it\"],[\"pt-BR\",\"\\u202aPortuguês (Brasil)\\u202c\",true,\"pt-BR\"],[\"zh-CN\",\"\\u202a简体中文\\u202c\",true,\"zh-Hans\"],[\"zh-TW\",\"\\u202a繁體中文\\u202c\",true,\"zh-Hant\"],[\"ja\",\"\\u202a日本語\\u202c\",true,\"ja\"],[\"ko\",\"\\u202a한국어\\u202c\",true,\"ko\"]],[\"83405\",\"AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg\"],\"en\",null,null,[],[[\"https://cloud.google.com/innovators\",\"https://cloud.google.com/innovators/plus/activate\",\"https://cloud.google.com/innovators/innovatorsplus\"],[\"https://workspace.google.com/pricing\",\"https://www.x.com/googleworkspace\",\"https://www.facebook.com/googleworkspace\",\"https://www.youtube.com/channel/UCBmwzQnSoj9b6HzNmFrg_yw\",\"https://www.instagram.com/googleworkspace\",\"https://www.linkedin.com/showcase/googleworkspace\",\"https://about.google/?utm_source\\u003dworkspace.google.com\\u0026utm_medium\\u003dreferral\\u0026utm_campaign\\u003dgsuite-footer-en\",\"https://about.google/products/?tip\\u003dexplore\",\"https://workspace.google.com\",\"https://workspace.google.com/contact/?source\\u003dgafb-form-globalnav-en\",\"https://workspace.google.com/business/signup/welcome?hl\\u003den\\u0026source\\u003dgafb-form-globalnav-en\",\"https://workspace.google.com/blog\"],[\"https://www.cloudskillsboost.google\",\"https://www.cloudskillsboost.google?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreen\",\"https://www.cloudskillsboost.google/subscriptions?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreenlaunchpromo\",\"https://www.cloudskillsboost.google/subscriptions?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreen\",\"https://www.cloudskillsboost.google/catalog?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreen\",\"https://www.cloudskillsboost.google/paths?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreen\"],[\"https://mapsplatform.google.com\"],[\"https://cloud.google.com/developers\",\"https://cloud.google.com/developers/settings?utm_source\\u003dinnovators\"],[\"https://console.cloud.google.com/freetrial\",\"https://console.cloud.google.com/\",\"https://console.cloud.google.com/freetrial?redirectPath\\u003dhttps://cloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email/\"],[\"https://aitestkitchen.withgoogle.com/signup\",\"https://blog.google/technology/ai/join-us-in-the-ai-test-kitchen/\",\"https://cloud.google.com/ai\"],[\"https://googlecloudplatform.blogspot.com/\",\"https://github.com/GoogleCloudPlatform\",\"https://www.linkedin.com/company/google-cloud\",\"https://twitter.com/GoogleCloud_sg\",\"https://www.facebook.com/googlecloud\",\"https://www.youtube.com/GoogleCloudAPAC\"]],[2024,11,23],[[\"en\",\"x-default\"],\"x-default\"],[null,true],null,\"/blog/topics/threat-intelligence/unc3524-eye-spy-email/?hl\\u003den\",[\"6LcsrxUqAAAAAFhpR1lXsPN2j2nsTwy6JTbRKzJr\"]]","LVIXXb":1,"LoQv7e":false,"M55kSc":"%.@.]","MT7f9b":[],"MUE6Ne":"TransformBlogUi","PylxI":"%.@.\"cloudblog\",\"topics/threat-intelligence/unc3524-eye-spy-email\",[\"en\",\"de\",\"fr\",\"ko\",\"ja\"],\"en\",null,\"https://cloud.google.com/blog\",\"blog_article\",\"cloud.google.com\",[\"https://console.cloud.google.com/freetrial/\",\"https://cloud.google.com/contact/\",\"https://cloud.google.com/\",\"https://cloud.google.com/blog\",\"https://cloud.google.com/\",\"https://www.google.com/\",\"https://cloud.google.com/products/\",\"https://about.google.com/products/\",\"https://about.google/intl/en/\",\"https://support.google.com\"],[\"googlecloud\",\"googlecloud\",\"showcase/google-cloud\",\"googlecloud/\",\"googlecloud/\"],true]","QrtxK":"","S06Grb":"","S6lZl":105833389,"TSDtV":"%.@.[[null,[[45449436,null,false,null,null,null,\"NCoWOd\"],[45667527,null,false,null,null,null,\"Qzt9sd\"],[45449424,null,null,null,\"default\",null,\"PB4oCc\"],[45532645,null,true,null,null,null,\"wFnpse\"],[45643590,null,false,null,null,null,\"w7jzef\"],[45449433,null,true,null,null,null,\"BotAtd\"],[45662378,null,true,null,null,null,\"DG71uf\"],[45449442,null,true,null,null,null,\"dsKk4d\"],[45449449,null,true,null,null,null,\"b5B1L\"],[45663339,null,false,null,null,null,\"OEmSkb\"],[45664956,null,false,null,null,null,\"aeNUHe\"],[45459555,null,false,null,null,null,\"Imeoqb\"],[45646404,null,false,null,null,null,\"tfPPe\"],[45651445,null,false,null,null,null,\"XzXOC\"],[45449440,null,false,null,null,null,\"j9nUqf\"],[45631885,null,false,null,null,null,\"kG32O\"],[45449445,null,true,null,null,null,\"C4H3Td\"],[45649370,null,false,null,null,null,\"LibkZ\"],[45657332,null,true,null,null,null,\"oBUucf\"],[45449438,null,false,null,null,null,\"m0uJSe\"],[45449471,null,null,null,\"default\",null,\"Ammqqf\"],[45612748,null,false,null,null,null,\"fdXYmb\"],[45449467,null,null,null,\"variant1\",null,\"qL2Vf\"],[45449469,null,null,null,\"default\",null,\"mBNY1\"],[45449443,null,false,null,null,null,\"wvKxS\"],[45616194,null,false,null,null,null,\"y3jdm\"],[45449434,null,true,null,null,null,\"PvZHQ\"],[45449428,null,null,null,\"default\",null,\"cbPi4d\"],[45664077,null,false,null,null,null,\"w1axY\"],[45449423,null,null,null,\"default\",null,\"FIJFKf\"],[45449450,null,false,null,null,null,\"PTNaKe\"],[45632110,null,true,null,null,null,\"QK58Od\"],[45449435,null,false,null,null,null,\"s7Z7Ld\"],[45449446,null,true,null,null,null,\"ktxJzc\"],[45449468,null,null,null,\"variant4\",null,\"BUEcUe\"],[45659313,null,false,null,null,null,\"i2rGv\"],[45532646,null,true,null,null,null,\"RIvlU\"],[45449439,null,true,null,null,null,\"lsuui\"],[45650156,null,false,null,null,null,\"Pr5Lcf\"],[45449422,null,null,null,\"default\",null,\"epsxQe\"],[45628378,null,true,null,null,null,\"hRRuzd\"],[45651724,null,true,null,null,null,\"xYDLRc\"],[45662552,null,false,null,null,null,\"epuB3d\"],[45449444,null,true,null,null,null,\"HGJqie\"],[45655733,null,true,null,null,null,\"xPTOyb\"],[45663526,null,false,null,null,null,\"kG33G\"]],\"CAMSIB0Z2c2IEK/+BOrvF/2KA82ttBKhkOMGFrecDRbM9Q15\"]]]","UUFaWc":"%.@.null,1000,2]","Vvafkd":false,"Yllh3e":"%.@.1732434953045771,24365432,1259532702]","aAofAd":"%.@.[[[\"Solutions \\u0026 technology\",null,[[[\"AI \\u0026 Machine Learning\",\"/blog/products/ai-machine-learning\"],[\"API Management\",\"/blog/products/api-management\"],[\"Application Development\",\"/blog/products/application-development\"],[\"Application Modernization\",\"/blog/products/application-modernization\"],[\"Chrome Enterprise\",\"/blog/products/chrome-enterprise\"],[\"Compute\",\"/blog/products/compute\"],[\"Containers \\u0026 Kubernetes\",\"/blog/products/containers-kubernetes\"],[\"Data Analytics\",\"/blog/products/data-analytics\"],[\"Databases\",\"/blog/products/databases\"],[\"DevOps \\u0026 SRE\",\"/blog/products/devops-sre\"],[\"Maps \\u0026 Geospatial\",\"/blog/topics/maps-geospatial\"],[\"Security\",null,[[[\"Security \\u0026 Identity\",\"/blog/products/identity-security\"],[\"Threat Intelligence\",\"/blog/topics/threat-intelligence\"]]]],[\"Infrastructure\",\"/blog/products/infrastructure\"],[\"Infrastructure Modernization\",\"/blog/products/infrastructure-modernization\"],[\"Networking\",\"/blog/products/networking\"],[\"Productivity \\u0026 Collaboration\",\"/blog/products/productivity-collaboration\"],[\"SAP on Google Cloud\",\"/blog/products/sap-google-cloud\"],[\"Storage \\u0026 Data Transfer\",\"/blog/products/storage-data-transfer\"],[\"Sustainability\",\"/blog/topics/sustainability\"]]]],[\"Ecosystem\",null,[[[\"IT Leaders\",\"/transform\"],[\"Industries\",null,[[[\"Financial Services\",\"/blog/topics/financial-services\"],[\"Healthcare \\u0026 Life Sciences\",\"/blog/topics/healthcare-life-sciences\"],[\"Manufacturing\",\"/blog/topics/manufacturing\"],[\"Media \\u0026 Entertainment\",\"/blog/products/media-entertainment\"],[\"Public Sector\",\"/blog/topics/public-sector\"],[\"Retail\",\"/blog/topics/retail\"],[\"Supply Chain\",\"/blog/topics/supply-chain-logistics\"],[\"Telecommunications\",\"/blog/topics/telecommunications\"]]]],[\"Partners\",\"/blog/topics/partners\"],[\"Startups \\u0026 SMB\",\"/blog/topics/startups\"],[\"Training \\u0026 Certifications\",\"/blog/topics/training-certifications\"],[\"Inside Google Cloud\",\"/blog/topics/inside-google-cloud\"],[\"Google Cloud Next \\u0026 Events\",\"/blog/topics/google-cloud-next\"],[\"Google Maps Platform\",\"https://mapsplatform.google.com/resources/blog/\"],[\"Google Workspace\",\"https://workspace.google.com/blog\"]]]],[\"Developers \\u0026 Practitioners\",\"/blog/topics/developers-practitioners\"],[\"Transform with Google Cloud\",\"/transform\"]]],[[\"de\",[[[\"Neuigkeiten\",\"/blog/de/topics/whats-new/aktuelles-auf-dem-google-cloud-blog\"],[\"Lösungen \\u0026 Technologien\",null,[[[\"Anwendungsentwicklung\",\"/blog/de/products/application-development\"],[\"Anwendungsmodernisierung\",\"/blog/de/products/anwendungsmodernisierung\"],[\"API-Verwaltung\",\"/blog/de/products/api-management\"],[\"Chrome Enterprise\",\"/blog/de/products/chrome-enterprise\"],[\"Computing\",\"/blog/de/products/compute\"],[\"Containers \\u0026 Kubernetes\",\"/blog/de/products/containers-kubernetes\"],[\"Datenanalysen\",\"/blog/de/products/data-analytics\"],[\"Datenbanken\",\"/blog/de/products/databases\"],[\"DevOps \\u0026 SRE\",\"/blog/de/products/devops-sre\"],[\"Infrastruktur\",\"/blog/de/products/infrastructure\"],[\"KI \\u0026 Machine Learning\",\"/blog/de/products/ai-machine-learning\"],[\"Maps \\u0026 Geospatial\",\"/blog/de/topics/maps-geospatial\"],[\"Modernisierung der Infrastruktur\",\"/blog/de/products/modernisierung-der-infrastruktur\"],[\"Nachhaltigkeit\",\"/blog/de/topics/nachhaltigkeit\"],[\"Netzwerk\",\"/blog/de/products/networking\"],[\"Produktivität und Zusammenarbeit\",\"/blog/de/products/produktivitaet-und-kollaboration\"],[\"SAP in Google Cloud\",\"/blog/de/products/sap-google-cloud\"],[\"Sicherheit \\u0026 Identität\",\"/blog/de/products/identity-security\"],[\"Speicher und Datentransfer\",\"/blog/de/products/storage-data-transfer\"]]]],[\"Ökosystem\",null,[[[\"IT Leader\",\"/transform/de\"],[\"Industrien\",null,[[[\"Behörden und öffentlicher Sektor\",\"/blog/de/topics/public-sector\"],[\"Einzelhandel\",\"/blog/de/topics/retail\"],[\"Fertigung\",\"/blog/de/topics/fertigung\"],[\"Finanzdienstleistungen\",\"/blog/de/topics/financial-services\"],[\"Gesundheitswesen und Biowissenschaften\",\"/blog/de/topics/healthcare-life-sciences\"],[\"Lieferkette und Logistik\",\"/blog/de/topics/lieferkette-und-logistik\"],[\"Medien und Unterhaltung\",\"/blog/de/products/media-entertainment\"],[\"Telekommunikation\",\"/blog/de/topics/telecommunications\"]]]],[\"Entwickler*innen \\u0026 Fachkräfte\",\"/blog/de/topics/developers-practitioners\"],[\"Google Cloud Next \\u0026 Events\",\"/blog/de/topics/events\"],[\"Google Maps Platform\",\"/blog/de/products/maps-platform\"],[\"Google Workspace\",\"https://workspace.google.com/blog/de\"],[\"Inside Google Cloud\",\"/blog/de/topics/inside-google-cloud\"],[\"Kunden\",\"/blog/de/topics/kunden\"],[\"Partner\",\"/blog/de/topics/partners\"],[\"Start-ups und KMU\",\"/blog/de/topics/startups\"],[\"Training und Zertifizierung\",\"/blog/de/topics/training-certifications\"]]]],[\"Transformation mit Google Cloud\",\"/transform/de\"]]]],[\"en\",[[[\"Solutions \\u0026 technology\",null,[[[\"AI \\u0026 Machine Learning\",\"/blog/products/ai-machine-learning\"],[\"API Management\",\"/blog/products/api-management\"],[\"Application Development\",\"/blog/products/application-development\"],[\"Application Modernization\",\"/blog/products/application-modernization\"],[\"Chrome Enterprise\",\"/blog/products/chrome-enterprise\"],[\"Compute\",\"/blog/products/compute\"],[\"Containers \\u0026 Kubernetes\",\"/blog/products/containers-kubernetes\"],[\"Data Analytics\",\"/blog/products/data-analytics\"],[\"Databases\",\"/blog/products/databases\"],[\"DevOps \\u0026 SRE\",\"/blog/products/devops-sre\"],[\"Maps \\u0026 Geospatial\",\"/blog/topics/maps-geospatial\"],[\"Security\",null,[[[\"Security \\u0026 Identity\",\"/blog/products/identity-security\"],[\"Threat Intelligence\",\"/blog/topics/threat-intelligence\"]]]],[\"Infrastructure\",\"/blog/products/infrastructure\"],[\"Infrastructure Modernization\",\"/blog/products/infrastructure-modernization\"],[\"Networking\",\"/blog/products/networking\"],[\"Productivity \\u0026 Collaboration\",\"/blog/products/productivity-collaboration\"],[\"SAP on Google Cloud\",\"/blog/products/sap-google-cloud\"],[\"Storage \\u0026 Data Transfer\",\"/blog/products/storage-data-transfer\"],[\"Sustainability\",\"/blog/topics/sustainability\"]]]],[\"Ecosystem\",null,[[[\"IT Leaders\",\"/transform\"],[\"Industries\",null,[[[\"Financial Services\",\"/blog/topics/financial-services\"],[\"Healthcare \\u0026 Life Sciences\",\"/blog/topics/healthcare-life-sciences\"],[\"Manufacturing\",\"/blog/topics/manufacturing\"],[\"Media \\u0026 Entertainment\",\"/blog/products/media-entertainment\"],[\"Public Sector\",\"/blog/topics/public-sector\"],[\"Retail\",\"/blog/topics/retail\"],[\"Supply Chain\",\"/blog/topics/supply-chain-logistics\"],[\"Telecommunications\",\"/blog/topics/telecommunications\"]]]],[\"Partners\",\"/blog/topics/partners\"],[\"Startups \\u0026 SMB\",\"/blog/topics/startups\"],[\"Training \\u0026 Certifications\",\"/blog/topics/training-certifications\"],[\"Inside Google Cloud\",\"/blog/topics/inside-google-cloud\"],[\"Google Cloud Next \\u0026 Events\",\"/blog/topics/google-cloud-next\"],[\"Google Maps Platform\",\"https://mapsplatform.google.com/resources/blog/\"],[\"Google Workspace\",\"https://workspace.google.com/blog\"]]]],[\"Developers \\u0026 Practitioners\",\"/blog/topics/developers-practitioners\"],[\"Transform with Google Cloud\",\"/transform\"]]]],[\"fr\",[[[\"Les tendances\",\"/blog/fr/topics/les-tendances/quelles-sont-les-nouveautes-de-google-cloud\"],[\"Solutions et Technologie\",null,[[[\"Analyse de données\",\"/blog/fr/products/analyse-de-donnees/\"],[\"Bases de données\",\"/blog/fr/products/databases\"],[\"Calcul\",\"/blog/fr/products/calcul/\"],[\"Chrome Entreprise\",\"/blog/fr/products/chrome-enterprise/\"],[\"Conteneurs et Kubernetes\",\"/blog/fr/products/conteneurs-et-kubernetes/\"],[\"Développement d\u0027Applications\",\"/blog/fr/products/application-development\"],[\"Développement durable\",\"/blog/fr/topics/developpement-durable\"],[\"DevOps et ingénierie SRE\",\"/blog/fr/products/devops-sre\"],[\"Gestion des API\",\"/blog/fr/products/api-management\"],[\"IA et Machine Learning\",\"/blog/fr/products/ai-machine-learning\"],[\"Infrastructure\",\"/blog/fr/products/infrastructure\"],[\"Maps et Géospatial\",\"/blog/fr/topics/maps-geospatial\"],[\"Modernisation d\u0027Applications\",\"/blog/fr/products/modernisation-dapplications/\"],[\"Modernisation d\u0027Infrastructure\",\"/blog/fr/products/modernisation-dinfrastructure/\"],[\"Networking\",\"/blog/fr/products/networking\"],[\"Productivité et Collaboration\",\"/blog/fr/products/productivite-et-collaboration\"],[\"SAP sur Google Cloud\",\"/blog/fr/products/sap-google-cloud\"],[\"Sécurité et Identité\",\"/blog/fr/products/identity-security\"],[\"Stockage et transfert de données\",\"/blog/fr/products/storage-data-transfer\"]]]],[\"Écosystème\",null,[[[\"Responsables IT\",\"/transform/fr\"],[\"Industries\",null,[[[\"Commerce\",\"/blog/fr/topics/retail\"],[\"Manufacturing\",\"/blog/fr/topics/manufacturing\"],[\"Médias et Divertissement\",\"/blog/fr/products/media-entertainment\"],[\"Santé\",\"/blog/fr/topics/healthcare-life-sciences\"],[\"Secteur Public\",\"/blog/fr/topics/public-sector\"],[\"Services Financiers\",\"/blog/fr/topics/financial-services\"],[\"Supply Chain\",\"/blog/fr/topics/supply-chain/\"],[\"Telecommunications\",\"/blog/fr/topics/telecommunications\"]]]],[\"Clients\",\"/blog/fr/topics/clients/\"],[\"Développeurs et professionnels\",\"/blog/fr/topics/developers-practitioners\"],[\"Formations et certifications\",\"/blog/fr/topics/training-certifications\"],[\"Google Cloud Next et Événements\",\"/blog/fr/topics/evenements\"],[\"Google Maps Platform\",\"/blog/fr/products/maps-platform\"],[\"Google Workspace\",\"https://workspace.google.com/blog/fr\"],[\"Inside Google Cloud\",\"/blog/fr/topics/inside-google-cloud\"],[\"Partenaires\",\"/blog/fr/topics/partners\"],[\"Start-ups et PME\",\"/blog/fr/topics/startups\"]]]],[\"Transformer avec Google Cloud\",\"/transform/fr\"]]]],[\"ja\",[[[\"ソリューションとテクノロジー\",null,[[[\"AI \\u0026 機械学習\",\"/blog/ja/products/ai-machine-learning\"],[\"API 管理\",\"/blog/ja/products/api-management\"],[\"アプリケーション開発\",\"/blog/ja/products/application-development\"],[\"アプリケーションモダナイゼーション\",\"/blog/ja/products/application-modernization\"],[\"Chrome Enterprise\",\"/blog/ja/products/chrome-enterprise\"],[\"コンピューティング\",\"/blog/ja/products/compute\"],[\"Containers \\u0026 Kubernetes\",\"/blog/ja/products/containers-kubernetes\"],[\"データ分析\",\"/blog/ja/products/data-analytics\"],[\"データベース\",\"/blog/ja/products/databases\"],[\"DevOps \\u0026 SRE\",\"/blog/ja/products/devops-sre\"],[\"Maps \\u0026 Geospatial\",\"/blog/ja/products/maps-platform\"],[\"セキュリティ\",null,[[[\"セキュリティ \\u0026 アイデンティティ\",\"/blog/ja/products/identity-security\"],[\"脅威インテリジェンス\",\"/blog/ja/topics/threat-intelligence\"]]]],[\"インフラストラクチャ\",\"/blog/ja/products/infrastructure\"],[\"インフラモダナイゼーション\",\"/blog/ja/products/infrastructure-modernization\"],[\"ネットワーキング\",\"/blog/ja/products/networking\"],[\"生産性とコラボレーション\",\"/blog/ja/products/productivity-collaboration\"],[\"Google Cloud での SAP\",\"/blog/ja/products/sap-google-cloud\"],[\"ストレージとデータ転送\",\"/blog/ja/products/storage-data-transfer\"],[\"サステナビリティ\",\"/blog/ja/topics/sustainability\"]]]],[\"エコシステム\",null,[[[\"ITリーダー\",\"/transform/ja\"],[\"業種\",null,[[[\"金融サービス\",\"/blog/ja/topics/financial-services\"],[\"ヘルスケア、ライフサイエンス\",\"/blog/ja/topics/healthcare-life-sciences\"],[\"製造\",\"/blog/ja/topics/manufacturing\"],[\"メディア、エンターテイメント\",\"/blog/ja/products/media-entertainment\"],[\"公共部門\",\"/blog/ja/topics/public-sector\"],[\"小売業\",\"/blog/ja/topics/retail\"],[\"サプライチェーン\",\"/blog/ja/topics/supply-chain-logistics\"],[\"通信\",\"/blog/ja/topics/telecommunications\"]]]],[\"顧客事例\",\"/blog/ja/topics/customers\"],[\"パートナー\",\"/blog/ja/topics/partners\"],[\"スタートアップ \\u0026 SMB\",\"/blog/ja/topics/startups\"],[\"トレーニングと認定\",\"/blog/ja/topics/training-certifications\"],[\"Inside Google Cloud\",\"/blog/ja/topics/inside-google-cloud\"],[\"Google Cloud Next とイベント\",\"/blog/ja/topics/google-cloud-next\"],[\"Google Maps Platform\",\"/blog/ja/products/maps-platform\"],[\"Google Workspace\",\"https://workspace.google.com/blog/ja\"]]]],[\"デベロッパー\",\"/blog/ja/topics/developers-practitioners\"],[\"Transform with Google Cloud\",\"/transform/ja\"]]]],[\"ko\",[[[\"솔루션 및 기술\",null,[[[\"AI 및 머신러닝\",\"/blog/ko/products/ai-machine-learning\"],[\"API 관리\",\"/blog/ko/products/api-management\"],[\"애플리케이션 개발\",\"/blog/ko/products/application-development\"],[\"애플리케이션 현대화\",\"/blog/ko/products/application-modernization\"],[\"Chrome Enterprise\",\"/blog/products/chrome-enterprise\"],[\"컴퓨팅\",\"/blog/ko/products/compute\"],[\"컨테이너 \\u0026 Kubernetes\",\"/blog/ko/products/containers-kubernetes\"],[\"데이터 분석\",\"/blog/ko/products/data-analytics\"],[\"데이터베이스\",\"/blog/ko/products/databases\"],[\"DevOps 및 SRE\",\"/blog/ko/products/devops-sre\"],[\"Maps \\u0026 Geospatial\",\"/blog/ko/products/maps-platform\"],[\"보안\",null,[[[\"보안 \\u0026 아이덴티티\",\"/blog/ko/products/identity-security\"],[\"위협 인텔리전스\",\"/blog/ko/topics/threat-intelligence\"]]]],[\"인프라\",\"/blog/ko/products/infrastructure\"],[\"Infrastructure Modernization\",\"/blog/ko/products/infrastructure-modernization\"],[\"네트워킹\",\"/blog/ko/products/networking\"],[\"생산성 및 공동작업\",\"/blog/ko/products/productivity-collaboration\"],[\"SAP on Google Cloud\",\"/blog/ko/products/sap-google-cloud\"],[\"스토리지 및 데이터 전송\",\"/blog/ko/products/storage-data-transfer\"],[\"지속가능성\",\"/blog/ko/topics/sustainability\"]]]],[\"에코시스템\",null,[[[\"IT Leaders\",\"/transform/ko\"],[\"업종\",null,[[[\"금융 서비스\",\"/blog/ko/topics/financial-services\"],[\"의료 및 생명과학\",\"/blog/ko/topics/healthcare-life-sciences\"],[\"제조업\",\"/blog/ko/topics/manufacturing\"],[\"미디어 및 엔터테인먼트\",\"/blog/ko/products/media-entertainment\"],[\"공공부문\",\"/blog/ko/topics/public-sector\"],[\"소매업\",\"/blog/ko/topics/retail\"],[\"공급망\",\"/blog/topics/supply-chain-logistics\"],[\"통신\",\"/blog/ko/topics/telecommunications\"]]]],[\"고객 사례\",\"/blog/ko/topics/customers\"],[\"파트너\",\"/blog/ko/topics/partners\"],[\"스타트업 \\u0026 SMB\",\"/blog/ko/topics/startups\"],[\"교육 \\u0026 인증\",\"/blog/ko/topics/training-certifications\"],[\"Inside Google Cloud\",\"/blog/ko/topics/inside-google-cloud\"],[\"Google Cloud Next 및 이벤트\",\"/blog/ko/topics/google-cloud-next\"],[\"Google Maps Platform\",\"/blog/ko/products/maps-platform\"],[\"Google Workspace\",\"https://workspace.google.com/blog/ko\"]]]],[\"개발 및 IT운영\",\"/blog/ko/topics/developers-practitioners\"],[\"Google Cloud와 함께 하는 디지털 혁신\",\"/transform/ko\"]]]]]]","cfb2h":"boq_cloudx-web-blog-uiserver_20241121.08_p0","eptZe":"/blog/_/TransformBlogUi/","f8POw":"%.@.[97442199,1714246,97785988,97863043,93778619,93874004,48554503,1706538,48897392,97684535,97535270,97656899,97863170,97517172,48887082,48830069,97716263,48489822,97442181,97785970,93873986,97684517,97656881,97517154,48887064],null,null,null,null,true]","fPDxwd":[97517172,97684535,97863043,97863170],"gGcLoe":false,"iCzhFc":false,"nQyAE":{"b5B1L":"true","PTNaKe":"false","ktxJzc":"true","BUEcUe":"variant4","XzXOC":"false","kG32O":"false","C4H3Td":"true","w1axY":"false","Pr5Lcf":"false","kG33G":"false","OEmSkb":"false","aeNUHe":"false","j9nUqf":"false","wvKxS":"false","wFnpse":"true","tfPPe":"false","LibkZ":"false","m0uJSe":"false","PvZHQ":"true","s7Z7Ld":"false","i2rGv":"false","RIvlU":"true","lsuui":"true","HGJqie":"true","NCoWOd":"false","Qzt9sd":"false","dsKk4d":"true","fdXYmb":"false","epuB3d":"false","BotAtd":"true"},"p9hQne":"https://www.gstatic.com/_/boq-cloudx-web-blog/_/r/","qwAQke":"TransformBlogUi","rtQCxc":-480,"u4g7r":"%.@.null,1000,2]","vJ2GOe":"%.@.null,[[\"de\",[[[\"Themen\",null,[[[\"Product Announcements\",\"/blog/de/product-announcements\"],[\"KI \\u0026 Machine Learning\",\"/blog/de/ai-machine-learning\"],[\"Produktivität und Kollaboration\",\"/blog/de/productivity-collaboration\"],[\"Identität und Sicherheit\",\"/blog/de/identity-and-security\"],[\"Future of Work\",\"/blog/de/future-of-work\"],[\"Hybrides Arbeiten\",\"/blog/de/hybrid-work\"],[\"Kundenreferenzen\",\"/blog/de/customer-stories\"],[\"Entwickler*innen und Fachkräfte\",\"/blog/de/developers-practitioners\"],[\"Partner\",\"/blog/de/partners\"],[\"Events\",\"/blog/de/events\"],[\"Öffentlicher Sektor\",\"/blog/de/public-sector\"]]]],[\"Produktneuigkeiten\",null,[[[\"Gmail\",\"/blog/de/gmail\"],[\"Meet\",\"/blog/de/meet\"],[\"Chat and Spaces\",\"/blog/de/chat-spaces\"],[\"Drive\",\"/blog/de/drive\"],[\"Docs\",\"/blog/de/docs\"],[\"Sheets\",\"/blog/de/sheets\"]]]]]]],[\"en\",[[[\"Topics\",null,[[[\"Product Announcements\",\"/blog/product-announcements\"],[\"AI and Machine Learning\",\"/blog/ai-machine-learning\"],[\"Productivity and Collaboration\",\"/blog/productivity-collaboration\"],[\"Identity and Security\",\"/blog/identity-and-security\"],[\"Future of Work\",\"/blog/future-of-work\"],[\"Hybrid Work\",\"/blog/hybrid-work\"],[\"Customer Stories\",\"/blog/customer-stories\"],[\"Developers and Practitioners\",\"/blog/developers-practitioners\"],[\"Partners\",\"/blog/partners\"],[\"Events\",\"/blog/events\"],[\"Public Sector\",\"/blog/public-sector\"]]]],[\"Product News\",null,[[[\"Gmail\",\"/blog/gmail\"],[\"Meet\",\"/blog/meet\"],[\"Chat and Spaces\",\"/blog/chat-spaces\"],[\"Drive\",\"/blog/drive\"],[\"Docs\",\"/blog/docs\"],[\"Sheets\",\"/blog/sheets\"]]]]]]],[\"fr\",[[[\"Thèmes\",null,[[[\"Product Announcements\",\"/blog/fr/product-announcements\"],[\"IA et Machine Learning\",\"/blog/fr/ai-machine-learning\"],[\"Productivité et Collaboration\",\"/blog/fr/productivity-collaboration\"],[\"Identité et Sécurité\",\"/blog/fr/identity-and-security\"],[\"L\u0027avenir du travail\",\"/blog/fr/future-of-work\"],[\"Travail hybride\",\"/blog/fr/hybrid-work\"],[\"Témoignages Clients\",\"/blog/fr/customer-stories\"],[\"Développeurs et professionnels\",\"/blog/fr/developers-practitioners\"],[\"Partenaires\",\"/blog/fr/partners\"],[\"Événements\",\"/blog/fr/events\"],[\"Secteur Public\",\"/blog/fr/public-sector\"]]]],[\"Annonces sur les produits\",null,[[[\"Gmail\",\"/blog/fr/gmail\"],[\"Meet\",\"/blog/fr/meet\"],[\"Chat et Spaces\",\"/blog/fr/chat-spaces\"],[\"Drive\",\"/blog/fr/drive\"],[\"Docs\",\"/blog/fr/docs\"],[\"Sheets\",\"/blog/fr/sheets\"]]]]]]],[\"ja\",[[[\"トピック\",null,[[[\"プロダクトの発表\",\"/blog/ja/product-announcements\"],[\"AI \\u0026 機械学習\",\"/blog/ja/ai-machine-learning\"],[\"生産性とコラボレーション\",\"/blog/ja/productivity-collaboration\"],[\"アイデンティティとセキュリティ\",\"/blog/ja/identity-and-security\"],[\"未来の働き方\",\"/blog/ja/future-of-work\"],[\"ハイブリッドな働き方\",\"/blog/ja/hybrid-work\"],[\"顧客事例\",\"/blog/ja/customer-stories\"],[\"デベロッパー\",\"/blog/ja/developers-practitioners\"],[\"パートナー\",\"/blog/ja/partners\"],[\"イベント\",\"/blog/ja/events\"],[\"公共部門\",\"/blog/ja/public-sector\"]]]],[\"製品ニュース\",null,[[[\"Gmail\",\"/blog/ja/gmail\"],[\"Meet\",\"/blog/ja/meet\"],[\"Chat and Spaces\",\"/blog/ja/chat-spaces\"],[\"ドライブ\",\"/blog/ja/drive\"],[\"ドキュメント\",\"/blog/ja/docs\"],[\"スプレッドシート\",\"/blog/ja/sheets\"]]]]]]],[\"ko\",[[[\"주제\",null,[[[\"제품 업데이트\",\"/blog/ko/product-announcements\"],[\"AI 및 머신러닝\",\"/blog/ko/ai-machine-learning\"],[\"생산성 및 공동작업\",\"/blog/ko/productivity-collaboration\"],[\"인증 및 보안 \",\"/blog/ko/identity-and-security\"],[\"Future of Work\",\"/blog/ko/future-of-work\"],[\"하이브리드 업무\",\"/blog/ko/hybrid-work\"],[\"고객 사례\",\"/blog/ko/customer-stories\"],[\"개발자\",\"/blog/ko/developers-practitioners\"],[\"파트너\",\"/blog/ko/partners\"],[\"이벤트\",\"/blog/ko/events\"],[\"공공부문\",\"/blog/ko/public-sector\"]]]],[\"제품 소식\",null,[[[\"Gmail\",\"/blog/ko/gmail\"],[\"Meet\",\"/blog/ko/meet\"],[\"Chat 및 Spaces\",\"/blog/ko/chat-spaces\"],[\"Drive\",\"/blog/ko/drive\"],[\"Docs\",\"/blog/ko/docs\"],[\"Sheets\",\"/blog/ko/sheets\"]]]]]]]],null,[[\"de\",[[[[[\"Enthaltene Anwendungen\",\"https://workspace.google.com/intl/de/features/\",[[[\"Gmail\",\"https://workspace.google.com/intl/de/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/intl/de/products/meet/\"],[\"Chat\",\"https://workspace.google.com/intl/de/products/chat/\"],[\"Kalender\",\"https://workspace.google.com/intl/de/products/calendar/\"],[\"Drive\",\"https://workspace.google.com/intl/de/products/drive/\"],[\"Docs\",\"https://workspace.google.com/intl/de/products/docs/\"],[\"Tabellen\",\"https://workspace.google.com/intl/de/products/sheets/\"],[\"Präsentationen\",\"https://workspace.google.com/intl/de/products/slides/\"],[\"Formulare\",\"https://workspace.google.com/intl/de/products/forms/\"],[\"Sites\",\"https://workspace.google.com/intl/de/products/sites/\"],[\"Notizen\",\"https://workspace.google.com/intl/de/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/intl/de/products/apps-script/\"]]]]]],[[[\"Sicherheit und Verwaltung\",\"https://workspace.google.com/intl/de/security/\",[[[\"Admin\",\"https://workspace.google.com/intl/de/products/admin/\"],[\"Endpunkt\",\"https://workspace.google.com/intl/de/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/intl/de/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/intl/de/products/workinsights/\"]]]],[\"Lösungen\",\"https://workspace.google.com/intl/de/solutions/\",[[[\"Neue Unternehmen\",\"https://workspace.google.com/intl/de/business/new-business/\"],[\"Kleine Unternehmen\",\"https://workspace.google.com/intl/de/business/small-business/\"],[\"Große Unternehmen\",\"https://workspace.google.com/intl/de/solutions/enterprise/\"],[\"Education\",\"https://edu.google.com/products/workspace-for-education/education-fundamentals/\"],[\"Nonprofit-Organisationen\",\"https://www.google.com/nonprofits/\"]]]]]],[[[\"Preise\",\"https://workspace.google.com/intl/de/pricing.html\",[[[\"Version auswählen\",\"https://workspace.google.com/intl/de/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Gemini für Workspace\",\"https://workspace.google.com/solutions/ai/\"],[\"Google Voice\",\"https://workspace.google.com/intl/de/products/voice/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"Ressourcen\",\"https://workspace.google.com/intl/de/faq/\",[[[\"Telearbeit\",\"https://workspace.google.com/intl/de/working-remotely/\"],[\"Sicherheit\",\"https://workspace.google.com/intl/de/security/\"],[\"FAQ\",\"https://workspace.google.com/intl/de/faq/\"],[\"Partner\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Google Workspace Marketplace\",\"https://workspace.google.com/marketplace/\"],[\"Integrationen\",\"https://workspace.google.com/intl/de/integrations/\"],[\"Schulung \\u0026 Zertifizierung\",\"https://workspace.google.com/intl/de/training/\"]]]]]],[[[\"Schulung und Support\",\"https://workspace.google.com/intl/de/support/\",[[[\"Admin-Hilfe\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"Einrichtungs- und Bereitstellungscenter\",\"https://workspace.google.com/setup/?hl\\u003dde\"],[\"Schulungscenter für Nutzer\",\"https://workspace.google.com/intl/de/learning-center/\"],[\"Foren für Administratoren\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Google Workspace-Dashboard\",\"https://www.google.com/appsstatus\"],[\"Presse\",\"https://cloud.google.com/press/\"]]]],[\"Mehr von Google\",null,[[[\"Google Cloud\",\"https://cloud.google.com/?hl\\u003dde\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Google Lösungen für Unternehmen\",\"https://www.google.com/intl/de/services/\"],[\"Google Ads\",\"https://ads.google.com/home/?subid\\u003dde-de-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"An Nutzerstudien teilnehmen\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]],[\"en\",[[[[[\"Included applications\",\"https://workspace.google.com/features/\",[[[\"Gmail\",\"https://workspace.google.com/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/products/meet/\"],[\"Chat\",\"https://workspace.google.com/products/chat/\"],[\"Calendar\",\"https://workspace.google.com/products/calendar/\"],[\"Drive\",\"https://workspace.google.com/products/drive/\"],[\"Docs\",\"https://workspace.google.com/products/docs/\"],[\"Sheets\",\"https://workspace.google.com/products/sheets/\"],[\"Slides\",\"https://workspace.google.com/products/slides/\"],[\"Forms\",\"https://workspace.google.com/products/forms/\"],[\"Sites\",\"https://workspace.google.com/products/sites/\"],[\"Keep\",\"https://workspace.google.com/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/products/apps-script/\"]]]]]],[[[\"Security and management\",\"https://workspace.google.com/security/\",[[[\"Admin\",\"https://workspace.google.com/products/admin/\"],[\"Endpoint\",\"https://workspace.google.com/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/products/workinsights/\"]]]],[\"Solutions\",\"https://workspace.google.com/solutions/\",[[[\"New Business\",\"https://workspace.google.com/business/new-business/\"],[\"Small Business\",\"https://workspace.google.com/business/small-business/\"],[\"Enterprise\",\"https://workspace.google.com/solutions/enterprise/\"],[\"Retail\",\"https://workspace.google.com/industries/retail/\"],[\"Manufacturing\",\"https://workspace.google.com/industries/manufacturing/\"],[\"Professional Services\",\"https://workspace.google.com/industries/professional-services/\"],[\"Technology\",\"https://workspace.google.com/industries/technology/\"],[\"Healthcare\",\"https://workspace.google.com/industries/healthcare/\"],[\"Government\",\"https://workspace.google.com/industries/government/\"],[\"Education\",\"https://edu.google.com/products/workspace-for-education/education-fundamentals/\"],[\"Nonprofits\",\"https://www.google.com/nonprofits/\"],[\"Artificial Intelligence\",\"https://workspace.google.com/solutions/ai/\"]]]]]],[[[\"Pricing\",\"https://workspace.google.com/pricing.html\",[[[\"Compare pricing plans\",\"https://workspace.google.com/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Gemini for Workspace\",\"https://workspace.google.com/solutions/ai/\"],[\"Meet hardware\",\"https://workspace.google.com/products/meet-hardware/\"],[\"Google Voice\",\"https://workspace.google.com/products/voice/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"Resources\",\"https://workspace.google.com/faq/\",[[[\"Working remotely\",\"https://workspace.google.com/working-remotely/\"],[\"Security\",\"https://workspace.google.com/security/\"],[\"Customer Stories\",\"https://workspace.google.com/customers/\"],[\"FAQs\",\"https://workspace.google.com/faq/\"],[\"Partners\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Marketplace\",\"https://workspace.google.com/marketplace/\"],[\"Integrations\",\"https://workspace.google.com/integrations/\"],[\"Training \\u0026 Certification\",\"https://workspace.google.com/training/\"],[\"Refer Google Workspace\",\"https://workspace.google.com/landing/partners/referral/\"]]]]]],[[[\"Learning and support\",\"https://workspace.google.com/support/\",[[[\"Admin Help\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"Setup and Deployment Center\",\"https://workspace.google.com/setup\"],[\"Learning Center for Users\",\"https://workspace.google.com/learning-center/\"],[\"Forums for Admins\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Google Workspace Dashboard\",\"https://www.google.com/appsstatus\"],[\"What\u0027s New in Google Workspace\",\"https://workspace.google.com/whatsnew/\"],[\"Find a Google Workspace Partner\",\"https://www.google.com/a/partnersearch/\"],[\"Join the community of IT Admins\",\"https://www.googlecloudcommunity.com/gc/Google-Workspace/ct-p/google-workspace\"],[\"Press\",\"https://cloud.google.com/press/\"]]]],[\"More from Google\",null,[[[\"Google Cloud\",\"https://cloud.google.com/\"],[\"Google Domains\",\"https://domains.google.com/about/?utm_source\\u003dgoogleappsforwork\\u0026utm_medium\\u003dreferral\\u0026utm_campaign\\u003dgooglepromos\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Google Business Solutions\",\"https://www.google.com/services/\"],[\"Google Ads\",\"https://ads.google.com/home/?subid\\u003dus-en-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"Join User Studies\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]],[\"fr\",[[[[[\"Enthaltene Anwendungen\",\"https://workspace.google.com/intl/fr/features/\",[[[\"Gmail\",\"https://workspace.google.com/intl/fr/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/intl/fr/products/meet/\"],[\"Chat\",\"https://workspace.google.com/intl/fr/products/chat/\"],[\"Google Agenda\",\"https://workspace.google.com/intl/fr/products/calendar/\"],[\"Drive\",\"https://workspace.google.com/intl/fr/products/drive/\"],[\"Docs\",\"https://workspace.google.com/intl/fr/products/docs/\"],[\"Sheets\",\"https://workspace.google.com/intl/fr/products/sheets/\"],[\"Slides\",\"https://workspace.google.com/intl/fr/products/slides/\"],[\"Forms\",\"https://workspace.google.com/intl/fr/products/forms/\"],[\"Google Sites\",\"https://workspace.google.com/intl/fr/products/sites/\"],[\"Keep\",\"https://workspace.google.com/intl/fr/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/intl/fr/products/apps-script/\"]]]]]],[[[\"Sécurité et gestion\",\"https://workspace.google.com/intl/fr/security/\",[[[\"Console d\u0027administration\",\"https://workspace.google.com/intl/fr/products/admin/\"],[\"Point de terminaison\",\"https://workspace.google.com/intl/fr/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/intl/fr/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/intl/fr/products/workinsights/\"]]]],[\"Solutions\",\"https://workspace.google.com/intl/fr/solutions/\",[[[\"Nouvelle entreprise\",\"https://workspace.google.com/intl/fr/business/new-business/\"],[\"PME\",\"https://workspace.google.com/intl/fr/business/small-business/\"],[\"Grande entreprise\",\"https://workspace.google.com/intl/fr/solutions/enterprise/\"],[\"Education\",\"https://edu.google.com/products/workspace-for-education/education-fundamentals/\"],[\"Associations\",\"https://www.google.com/nonprofits/\"]]]]]],[[[\"Tarifs\",\"https://workspace.google.com/intl/fr/pricing.html\",[[[\"Choisissez une édition\",\"https://workspace.google.com/intl/fr/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Gemini pour Workspace\",\"https://workspace.google.com/solutions/ai/\"],[\"Matériel Meet\",\"https://workspace.google.com/intl/fr/products/meet-hardware/\"],[\"Google Voice\",\"https://workspace.google.com/intl/fr/products/voice/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"Ressources\",\"https://workspace.google.com/intl/fr/faq/\",[[[\"Travail à distance\",\"https://workspace.google.com/intl/fr/working-remotely/\"],[\"Sécurité\",\"https://workspace.google.com/intl/fr/security/\"],[\"Questions fréquentes\",\"https://workspace.google.com/intl/fr/faq/\"],[\"Partenaires\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Marketplace\",\"https://workspace.google.com/marketplace/\"],[\"Intégrations\",\"https://workspace.google.com/intl/fr/integrations/\"],[\"Formation et certification\",\"https://workspace.google.com/intl/fr/training/\"]]]]]],[[[\"Formation et assistance\",\"https://workspace.google.com/intl/fr/support/\",[[[\"Aide pour les administrateurs\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"Centre de configuration et de déploiement\",\"https://workspace.google.com/setup/?hl\\u003dfr\"],[\"Centre de formation pour les utilisateurs\",\"https://workspace.google.com/intl/fr/learning-center/\"],[\"Forums pour les administrateurs\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Tableau de bord Google Workspace\",\"https://www.google.com/appsstatus#hl\\u003dfr\"],[\"Rechercher un partenaire Google Workspace\",\"https://www.google.com/a/partnersearch/?hl\\u003dfr#home\"],[\"Presse\",\"https://cloud.google.com/press/\"]]]],[\"Autres ressources Google\",null,[[[\"Google Cloud\",\"https://cloud.google.com/?hl\\u003dfr\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Solutions d\u0027entreprise Google\",\"https://www.google.com/intl/fr/services/\"],[\"Google pour les Pros\",\"https://pourlespros.withgoogle.com/?utm_source\\u003dEngagement\\u0026utm_medium\\u003dep\\u0026utm_term\\u003dSMB\\u0026utm_content\\u003dFR%20Apps%20for%20work%20footert\\u0026utm_campaign\\u003dQ4_2015%20FR%20Apps%20for%20work%20footer\"],[\"Google Ads\",\"https://ads.google.com/home/?subid\\u003dfr-fr-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"Participer aux études sur l\u0027expérience utilisateur\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]],[\"ja\",[[[[[\"ご利用いただけるアプリケーション\",\"https://workspace.google.com/intl/ja/features/\",[[[\"Gmail\",\"https://workspace.google.com/intl/ja/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/intl/ja/products/meet/\"],[\"Chat\",\"https://workspace.google.com/intl/ja/products/chat/\"],[\"カレンダー\",\"https://workspace.google.com/intl/ja/products/calendar/\"],[\"ドライブ\",\"https://workspace.google.com/intl/ja/products/drive/\"],[\"ドキュメント\",\"https://workspace.google.com/intl/ja/products/docs/\"],[\"スプレッドシート\",\"https://workspace.google.com/intl/ja/products/sheets/\"],[\"スライド\",\"https://workspace.google.com/intl/ja/products/slides/\"],[\"フォーム\",\"https://workspace.google.com/intl/ja/products/forms/\"],[\"サイト\",\"https://workspace.google.com/intl/ja/products/sites/\"],[\"Keep\",\"https://workspace.google.com/intl/ja/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/intl/ja/products/apps-script/\"]]]]]],[[[\"セキュリティと管理\",\"https://workspace.google.com/intl/ja/security/\",[[[\"管理コンソール\",\"https://workspace.google.com/intl/ja/products/admin/\"],[\"エンドポイント\",\"https://workspace.google.com/intl/ja/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/intl/ja/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/intl/ja/products/workinsights/\"]]]],[\"ソリューション\",\"https://workspace.google.com/intl/ja/solutions/\",[[[\"新規ビジネス\",\"https://workspace.google.com/intl/ja/business/new-business/\"],[\"小規模ビジネス\",\"https://workspace.google.com/intl/ja/business/small-business/\"],[\"大規模ビジネス\",\"https://workspace.google.com/intl/ja/solutions/enterprise/\"],[\"Education\",\"https://edu.google.com/intl/ja/products/workspace-for-education/education-fundamentals/\"],[\"非営利団体\",\"https://www.google.com/intl/ja/nonprofits/\"]]]]]],[[[\"料金\",\"https://workspace.google.com/intl/ja/pricing.html\",[[[\"エディションを選ぶ\",\"https://workspace.google.com/intl/ja/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Gemini for Workspace\",\"https://workspace.google.com/solutions/ai/\"],[\"Meet ハードウェア\",\"https://workspace.google.com/intl/ja/products/meet-hardware/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"関連情報\",\"https://workspace.google.com/intl/ja/faq/\",[[[\"リモートワーク\",\"https://workspace.google.com/intl/ja/working-remotely/\"],[\"セキュリティ\",\"https://workspace.google.com/intl/ja/security/\"],[\"事例紹介\",\"https://workspace.google.com/intl/ja/customers/\"],[\"よくある質問\",\"https://workspace.google.com/intl/ja/faq/\"],[\"パートナー\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Marketplace\",\"https://workspace.google.com/intl/ja/marketplace/\"],[\"統合\",\"https://workspace.google.com/intl/ja/integrations/\"],[\"トレーニングと認定資格\",\"https://workspace.google.com/intl/ja/training/\"]]]]]],[[[\"学習とサポート\",\"https://workspace.google.com/intl/ja/support/\",[[[\"管理者用ヘルプ\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"設定と導入のガイド\",\"https://workspace.google.com/setup/?hl\\u003dja\"],[\"ユーザー向けラーニングセンター\",\"https://workspace.google.com/intl/ja/learning-center/\"],[\"管理者向けフォーラム\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Google Workspace ステータスダッシュボード\",\"https://www.google.com/appsstatus#hl\\u003dja\"],[\"Google Workspace パートナーを探す\",\"https://www.google.com/a/partnersearch/?hl\\u003dja#home\"],[\"プレスリリース\",\"https://cloud.google.com/press/?hl\\u003dja\"]]]],[\"その他の Google サービス\",null,[[[\"Google Cloud\",\"https://cloud.google.com/?hl\\u003dja\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Google ビジネスソリューション\",\"https://www.google.com/intl/ja/services/\"],[\"Google 広告\",\"https://ads.google.com/home/?subid\\u003dja-ja-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"ユーザー調査に参加する\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]],[\"ko\",[[[[[\"포함된 애플리케이션\",\"https://workspace.google.com/intl/ko/features/\",[[[\"Gmail\",\"https://workspace.google.com/intl/ko/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/intl/ko/products/meet/\"],[\"Chat\",\"https://workspace.google.com/intl/ko/products/chat/\"],[\"Calendar\",\"https://workspace.google.com/intl/ko/products/calendar/\"],[\"Drive\",\"https://workspace.google.com/intl/ko/products/drive/\"],[\"Docs\",\"https://workspace.google.com/intl/ko/products/docs/\"],[\"Sheets\",\"https://workspace.google.com/intl/ko/products/sheets/\"],[\"Slides\",\"https://workspace.google.com/intl/ko/products/slides/\"],[\"설문지\",\"https://workspace.google.com/intl/ko/products/forms/\"],[\"사이트 도구\",\"https://workspace.google.com/intl/ko/products/sites/\"],[\"Keep\",\"https://workspace.google.com/intl/ko/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/intl/ko/products/apps-script/\"]]]]]],[[[\"보안 및 관리\",\"https://workspace.google.com/intl/ko/security/\",[[[\"관리\",\"https://workspace.google.com/intl/ko/products/admin/\"],[\"엔드포인트\",\"https://workspace.google.com/intl/ko/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/intl/ko/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/intl/ko/products/workinsights/\"]]]],[\"솔루션\",\"https://workspace.google.com/intl/ko/solutions/\",[[[\"신규 업체\",\"https://workspace.google.com/intl/ko/business/new-business/\"],[\"중소기업\",\"https://workspace.google.com/intl/ko/business/small-business/\"],[\"엔터프라이즈\",\"https://workspace.google.com/intl/ko/solutions/enterprise/\"],[\"Education\",\"https://edu.google.com/products/workspace-for-education/education-fundamentals/\"],[\"비영리단체\",\"https://www.google.com/nonprofits/\"]]]]]],[[[\"가격\",\"https://workspace.google.com/intl/ko/pricing.html\",[[[\"버전 선택\",\"https://workspace.google.com/intl/ko/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Workspace를 위한 Gemini\",\"https://workspace.google.com/solutions/ai/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"리소스\",\"https://workspace.google.com/intl/ko/faq/\",[[[\"원격 근무\",\"https://workspace.google.com/intl/ko/working-remotely/\"],[\"보안\",\"https://workspace.google.com/intl/ko/security/\"],[\"FAQ\",\"https://workspace.google.com/intl/ko/faq/\"],[\"파트너\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Marketplace\",\"https://workspace.google.com/intl/ko/marketplace/\"],[\"통합\",\"https://workspace.google.com/intl/ko/integrations/\"],[\"교육 및 인증\",\"https://workspace.google.com/intl/ko/training/\"]]]]]],[[[\"학습 및 지원\",\"https://workspace.google.com/intl/ko/support/\",[[[\"관리자 도움말\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"설치 및 배포 센터\",\"https://workspace.google.com/setup/?hl\\u003dko\"],[\"사용자를 위한 학습 센터\",\"https://workspace.google.com/intl/ko/learning-center/\"],[\"관리자 포럼\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Google Workspace 대시보드\",\"https://www.google.com/appsstatus#hl\\u003dko\"],[\"Google Workspace 파트너 찾기\",\"https://www.google.com/a/partnersearch/?hl\\u003dko#home\"],[\"보도자료\",\"https://cloud.google.com/press/\"]]]],[\"Google의 다른 제품\",null,[[[\"Google Cloud\",\"https://cloud.google.com/?hl\\u003dko\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Google 비즈니스 솔루션\",\"https://www.google.com/intl/ko_kr/business/\"],[\"Google Ads\",\"https://ads.google.com/home/?subid\\u003dkr-ko-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"사용자 연구 참여\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]]]]","w2btAe":"%.@.null,null,\"\",false,null,null,true,false]","xn5OId":false,"xnI9P":true,"xwAfE":true,"y2FhP":"prod","yFnxrf":1884,"zChJod":"%.@.]"};</script><script nonce="wC7T6QA8MeKpUedWZ2V6dQ">(function(){'use strict';var a=window,d=a.performance,l=k();a.cc_latency_start_time=d&&d.now?0:d&&d.timing&&d.timing.navigationStart?d.timing.navigationStart:l;function k(){return d&&d.now?d.now():(new Date).getTime()}function n(e){if(d&&d.now&&d.mark){var g=d.mark(e);if(g)return g.startTime;if(d.getEntriesByName&&(e=d.getEntriesByName(e).pop()))return e.startTime}return k()}a.onaft=function(){n("aft")};a._isLazyImage=function(e){return e.hasAttribute("data-src")||e.hasAttribute("data-ils")||e.getAttribute("loading")==="lazy"}; a.l=function(e){function g(b){var c={};c[b]=k();a.cc_latency.push(c)}function m(b){var c=n("iml");b.setAttribute("data-iml",c);return c}a.cc_aid=e;a.iml_start=a.cc_latency_start_time;a.css_size=0;a.cc_latency=[];a.ccTick=g;a.onJsLoad=function(){g("jsl")};a.onCssLoad=function(){g("cssl")};a._isVisible=function(b,c){if(!c||c.style.display=="none")return!1;var f=b.defaultView;if(f&&f.getComputedStyle&&(f=f.getComputedStyle(c),f.height=="0px"||f.width=="0px"||f.visibility=="hidden"))return!1;if(!c.getBoundingClientRect)return!0; var h=c.getBoundingClientRect();c=h.left+a.pageXOffset;f=h.top+a.pageYOffset;if(f+h.height<0||c+h.width<0||h.height<=0||h.width<=0)return!1;b=b.documentElement;return f<=(a.innerHeight||b.clientHeight)&&c<=(a.innerWidth||b.clientWidth)};a._recordImlEl=m;document.documentElement.addEventListener("load",function(b){b=b.target;var c;b.tagName!="IMG"||b.hasAttribute("data-iid")||a._isLazyImage(b)||b.hasAttribute("data-noaft")||(c=m(b));if(a.aft_counter&&(b=a.aft_counter.indexOf(b),b!==-1&&(b=a.aft_counter.splice(b, 1).length===1,a.aft_counter.length===0&&b&&c)))a.onaft(c)},!0);a.prt=-1;a.wiz_tick=function(){var b=n("prt");a.prt=b}};}).call(this); l('DK1zsb')</script><script nonce="wC7T6QA8MeKpUedWZ2V6dQ">var _F_cssRowKey = 'boq-cloudx-web-blog.TransformBlogUi.kBvWwdAt86U.L.X.O';var _F_combinedSignature = 'AHrnUqUMne414GLMZipCdLurIRsd0ykfYQ';function _DumpException(e) {throw e;}</script><link rel="stylesheet" href="https://www.gstatic.com/_/mss/boq-cloudx-web-blog/_/ss/k=boq-cloudx-web-blog.TransformBlogUi.kBvWwdAt86U.L.X.O/am=OBgwCw/d=1/ed=1/rs=AHrnUqUdHr1ILLldbe8xmK4BOgod6WRp4g/m=articleview,_b,_tp" data-id="_cl" nonce="etUnG2Qk0TfHJILls3CMbQ"><script nonce="wC7T6QA8MeKpUedWZ2V6dQ">onCssLoad();</script><style nonce="etUnG2Qk0TfHJILls3CMbQ">@font-face{font-family:'Product Sans';font-style:normal;font-weight:400;src:url(https://fonts.gstatic.com/s/productsans/v9/pxiDypQkot1TnFhsFMOfGShVF9eK.eot);}@font-face{font-family:'Google Sans';font-style:normal;font-weight:400;src:url(https://fonts.gstatic.com/s/googlesans/v58/4Ua_rENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iqcsih3SAyH6cAwhX9RFD48TE63OOYKtrwEIJllpy0.eot);}@font-face{font-family:'Google Sans';font-style:normal;font-weight:500;src:url(https://fonts.gstatic.com/s/googlesans/v58/4Ua_rENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iqcsih3SAyH6cAwhX9RFD48TE63OOYKtrw2IJllpy0.eot);}@font-face{font-family:'Google Sans';font-style:normal;font-weight:700;src:url(https://fonts.gstatic.com/s/googlesans/v58/4Ua_rENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iqcsih3SAyH6cAwhX9RFD48TE63OOYKtrzjJ5llpy0.eot);}@font-face{font-family:'Google Sans Display';font-style:normal;font-weight:400;src:url(https://fonts.gstatic.com/s/googlesansdisplay/v13/ea8FacM9Wef3EJPWRrHjgE4B6CnlZxHVDv79pQ.eot);}@font-face{font-family:'Google Sans Display';font-style:normal;font-weight:500;src:url(https://fonts.gstatic.com/s/googlesansdisplay/v13/ea8IacM9Wef3EJPWRrHjgE4B6CnlZxHVBg3etBD7SA.eot);}@font-face{font-family:'Google Sans Display';font-style:normal;font-weight:700;src:url(https://fonts.gstatic.com/s/googlesansdisplay/v13/ea8IacM9Wef3EJPWRrHjgE4B6CnlZxHVBkXYtBD7SA.eot);}</style><script nonce="wC7T6QA8MeKpUedWZ2V6dQ">(function(){'use strict';function e(){var a=g,b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}};/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0 */ var l=this||self;/* Copyright 2024 Google, Inc SPDX-License-Identifier: MIT */ var m=["focus","blur","error","load","toggle"];function n(a){return a==="mouseenter"?"mouseover":a==="mouseleave"?"mouseout":a==="pointerenter"?"pointerover":a==="pointerleave"?"pointerout":a};function p(a){this.l={};this.m={};this.i=null;this.g=[];this.o=a}p.prototype.handleEvent=function(a,b,c){q(this,{eventType:a,event:b,targetElement:b.target,eic:c,timeStamp:Date.now(),eia:void 0,eirp:void 0,eiack:void 0})};function q(a,b){if(a.i)a.i(b);else{b.eirp=!0;var c;(c=a.g)==null||c.push(b)}} function r(a,b,c){if(!(b in a.l)&&a.o){var d=function(h,f,B){a.handleEvent(h,f,B)};a.l[b]=d;c=n(c||b);if(c!==b){var k=a.m[c]||[];k.push(b);a.m[c]=k}a.o.addEventListener(c,function(h){return function(f){d(b,f,h)}},void 0)}}p.prototype.j=function(a){return this.l[a]};p.prototype.ecrd=function(a){this.i=a;var b;if((b=this.g)==null?0:b.length){for(a=0;a<this.g.length;a++)q(this,this.g[a]);this.g=null}};var t=typeof navigator!=="undefined"&&/iPhone|iPad|iPod/.test(navigator.userAgent);function u(a){this.g=a;this.i=[]}u.prototype.addEventListener=function(a,b,c){t&&(this.g.style.cursor="pointer");var d=this.i,k=d.push,h=this.g;b=b(this.g);var f=!1;m.indexOf(a)>=0&&(f=!0);h.addEventListener(a,b,typeof c==="boolean"?{capture:f,passive:c}:f);k.call(d,{eventType:a,j:b,capture:f,passive:c})};var g="click dblclick focus focusin blur error focusout keydown keyup keypress load mouseover mouseout mouseenter mouseleave submit toggle touchstart touchend touchmove touchcancel auxclick change compositionstart compositionupdate compositionend beforeinput input select textinput copy cut paste mousedown mouseup wheel contextmenu dragover dragenter dragleave drop dragstart dragend pointerdown pointermove pointerup pointercancel pointerenter pointerleave pointerover pointerout gotpointercapture lostpointercapture ended loadedmetadata pagehide pageshow visibilitychange beforematch".split(" "); if(!(g instanceof Array)){var v;var w=typeof Symbol!="undefined"&&Symbol.iterator&&g[Symbol.iterator];if(w)v=w.call(g);else if(typeof g.length=="number")v={next:e()};else throw Error(String(g)+" is not an iterable or ArrayLike");for(var x,y=[];!(x=v.next()).done;)y.push(x.value)};var z=function(a){return{trigger:function(b){var c=a.j(b.type);c||(r(a,b.type),c=a.j(b.type));var d=b.target||b.srcElement;c&&c(b.type,b,d.ownerDocument.documentElement)},configure:function(b){b(a)}}}(function(){var a=window,b=new u(a.document.documentElement),c=new p(b);g.forEach(function(h){return r(c,h)});var d,k;"onwebkitanimationend"in a&&(d="webkitAnimationEnd");r(c,"animationend",d);"onwebkittransitionend"in a&&(k="webkitTransitionEnd");r(c,"transitionend",k);return{s:c,u:b}}().s),A=["BOQ_wizbind"], C=window||l;A[0]in C||typeof C.execScript=="undefined"||C.execScript("var "+A[0]);for(var D;A.length&&(D=A.shift());)A.length||z===void 0?C[D]&&C[D]!==Object.prototype[D]?C=C[D]:C=C[D]={}:C[D]=z;}).call(this); </script><script noCollect src="https://www.gstatic.com/_/mss/boq-cloudx-web-blog/_/js/k=boq-cloudx-web-blog.TransformBlogUi.en_US.gC3IVRdc-js.es5.O/am=OBgwCw/d=1/excm=_b,_tp,articleview/ed=1/dg=0/wt=2/ujg=1/rs=AHrnUqUC0U47L_N8kMcLkQijaVUP_3FZOw/m=_b,_tp" defer id="base-js" fetchpriority="high" nonce="wC7T6QA8MeKpUedWZ2V6dQ"></script><script nonce="wC7T6QA8MeKpUedWZ2V6dQ">if (window.BOQ_loadedInitialJS) {onJsLoad();} else {document.getElementById('base-js').addEventListener('load', onJsLoad, false);}</script><script nonce="wC7T6QA8MeKpUedWZ2V6dQ"> window['_wjdc'] = function (d) {window['_wjdd'] = d}; </script><title>UNC3524: Eye Spy on Your Email | Mandiant | Google Cloud Blog</title><meta name="description" content=""><meta name="robots" content="max-image-preview:large"><meta property="og:title" content="UNC3524: Eye Spy on Your Email | Mandiant | Google Cloud Blog"><meta property="og:type" content="website"><meta property="og:url" content="https://cloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email"><meta property="og:image" content="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplif.max-2600x2600.png"><meta property="og:site_name" content="Google Cloud Blog"><meta name="twitter:card" content="summary_large_image"><meta name="twitter:url" content="https://cloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email"><meta name="twitter:title" content="UNC3524: Eye Spy on Your Email | Mandiant | Google Cloud Blog"><meta name="twitter:description" content=""><meta name="twitter:image" content="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplif.max-2600x2600.png"><meta name="twitter:site" content="@googlecloud"><script type="application/ld+json">{"@context":"https://schema.org","@type":"BlogPosting","@id":"https://cloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email","headline":"UNC3524: Eye Spy on Your Email | Mandiant","description":"","image":"https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplif.max-2600x2600.png","author":[{"@type":"Person","name":"Mandiant ","url":""}],"datePublished":"2022-05-02","publisher":{"@type":"Organization","name":"Google Cloud","logo":{"@type":"ImageObject","url":"https://www.gstatic.com/devrel-devsite/prod/v8bb8fa0afe9a8c3a776ebeb25d421bb443344d789b3607754dfabea418b8c4be/cloud/images/cloud-logo.svg"}},"url":"https://cloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email","keywords":["Threat Intelligence","Security \u0026 Identity"],"timeRequired":"PT14M"}</script><link rel="canonical" href="https://cloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email/"><meta name="track-metadata-page_post_title" content="UNC3524: Eye Spy on Your Email | Mandiant"><meta name="track-metadata-page_post_labels" content="Threat Intelligence"><meta name="track-metadata-page_first_published" content="2024-03-26 05:03:00"><meta name="track-metadata-page_last_published" content="2022-05-02 13:05:00"><meta name="track-metadata-page_post_author" content="Mandiant "><meta name="track-metadata-page_post_author_role" content=""><header jsaction="rcuQ6b:npT2md" jscontroller="o60eef" class="glue-header nRhiJb-tJHJj-OWXEXe-kFx1Ae" id="kO001e"><a href="./#content" class="glue-header__link glue-header__skip-content">Jump to Content</a><div class="glue-header__bar glue-header__bar--mobile DFb9Jf" track-metadata-module="header"><div class="nRhiJb-mb9u9d"><div class="glue-header__container JF2WI"><div class="nRhiJb-o2XRw-yHKmmc lUwpmd"><div class="nRhiJb-rSCjMe"><a class="nRhiJb-rSCjMe-hSRGPd" href="https://cloud.google.com/" title="Google Cloud" track-name="google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/"track-metadata-module="header"><div class="nRhiJb-rSCjMe-haAclf"><svg class="glue-header__logo-svg" viewBox="0 0 74 24" role="presentation" aria-hidden="true"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"></path><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"></path><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3.52 1.74 0 3.1 1.5 3.1 3.54.01 2.03-1.36 3.5-3.1 3.5z"></path><path fill="#FBBC05" d="M38 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"></path><path fill="#34A853" d="M58 .24h2.51v17.57H58z"></path><path fill="#EA4335" d="M68.26 15.52c-1.3 0-2.22-.59-2.82-1.76l7.77-3.21-.26-.66c-.48-1.3-1.96-3.7-4.97-3.7-2.99 0-5.48 2.35-5.48 5.81 0 3.26 2.46 5.81 5.76 5.81 2.66 0 4.2-1.63 4.84-2.57l-1.98-1.32c-.66.96-1.56 1.6-2.86 1.6zm-.18-7.15c1.03 0 1.91.53 2.2 1.28l-5.25 2.17c0-2.44 1.73-3.45 3.05-3.45z"></path></svg></div><span class="nRhiJb-rSCjMe-OWXEXe-UBMNlb khBwGd">Cloud</span></a></div></div><div class="glue-header__hamburger s6BfRd"><button class="glue-header__drawer-toggle-btn" aria-label="Open the navigation drawer"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z"></path></svg></button></div><div class="nRhiJb-o2XRw-yHKmmc UrjqX"><div class="nRhiJb-rSCjMe"><a class="nRhiJb-rSCjMe-hSRGPd" href="https://cloud.google.com/blog" title="Google Cloud Blog" track-name="blog"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog"track-metadata-module="header"><span class="nRhiJb-rSCjMe-OWXEXe-UBMNlb khBwGd">Blog</span></a></div></div></div><div class="glue-header__container ca6rub"><div class="nRhiJb-GUI8l"><a class="nRhiJb-LgbsSe nRhiJb-LgbsSe-OWXEXe-pSzOP-o6Shpd " href="https://cloud.google.com/contact/" track-name="contact sales"track-type="blog nav"track-metadata-eventdetail="cloud.google.com/contact/"track-metadata-module="header" track-name="contact sales"track-type="button"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/contact/">Contact sales </a><a class="nRhiJb-LgbsSe nRhiJb-LgbsSe-OWXEXe-CNusmb-o6Shpd " href="https://console.cloud.google.com/freetrial/" track-name="get started for free"track-type="blog nav"track-metadata-eventdetail="console.cloud.google.com/freetrial/"track-metadata-module="header" track-name="get started for free"track-type="button"track-metadata-position="nav"track-metadata-eventdetail="console.cloud.google.com/freetrial/">Get started for free </a></div><div class="GKI4ub"><div class="Jhiezd"><form action="/blog/search/" class="A2C6Ob"><input class="BAhdXd" jsname="oJAbI" name="query" type="text" placeholder="Find an article..."><input type="hidden" name="language" value=en hidden><input type="hidden" name="category" value=article hidden><input type="hidden" name="paginate" value="25" hidden><input type="hidden" name="order" value="newest" hidden><input type="hidden" name="hl" value=en hidden><span class="A0lwXc" jsname="D8MWrd" aria-label="Show the search input field." role="button" jsaction="click:jUF4E"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c" viewBox="0 0 24 24" role="presentation" aria-hidden="true" width="40" height="22"><path d="M20.49 19l-5.73-5.73C15.53 12.2 16 10.91 16 9.5A6.5 6.5 0 1 0 9.5 16c1.41 0 2.7-.47 3.77-1.24L19 20.49 20.49 19zM5 9.5C5 7.01 7.01 5 9.5 5S14 7.01 14 9.5 11.99 14 9.5 14 5 11.99 5 9.5z"></path></svg></span></form></div></div></div></div></div><div class="glue-header__bar glue-header__bar--desktop glue-header__drawer YcctDe" track-metadata-module="header"><div class="nRhiJb-mb9u9d M7RUq"><div class="glue-header__container JF2WI"><div class="nRhiJb-o2XRw-yHKmmc lUwpmd"><div class="nRhiJb-rSCjMe"><a class="nRhiJb-rSCjMe-hSRGPd" href="https://cloud.google.com/" title="Google Cloud" track-name="google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/"track-metadata-module="header"><div class="nRhiJb-rSCjMe-haAclf"><svg class="glue-header__logo-svg" viewBox="0 0 74 24" role="presentation" aria-hidden="true"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"></path><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"></path><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3.52 1.74 0 3.1 1.5 3.1 3.54.01 2.03-1.36 3.5-3.1 3.5z"></path><path fill="#FBBC05" d="M38 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"></path><path fill="#34A853" d="M58 .24h2.51v17.57H58z"></path><path fill="#EA4335" d="M68.26 15.52c-1.3 0-2.22-.59-2.82-1.76l7.77-3.21-.26-.66c-.48-1.3-1.96-3.7-4.97-3.7-2.99 0-5.48 2.35-5.48 5.81 0 3.26 2.46 5.81 5.76 5.81 2.66 0 4.2-1.63 4.84-2.57l-1.98-1.32c-.66.96-1.56 1.6-2.86 1.6zm-.18-7.15c1.03 0 1.91.53 2.2 1.28l-5.25 2.17c0-2.44 1.73-3.45 3.05-3.45z"></path></svg></div><span class="nRhiJb-rSCjMe-OWXEXe-UBMNlb khBwGd">Cloud</span></a></div></div><div class="nRhiJb-o2XRw-yHKmmc UrjqX"><div class="nRhiJb-rSCjMe"><a class="nRhiJb-rSCjMe-hSRGPd" href="https://cloud.google.com/blog" title="Google Cloud Blog" track-name="blog"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog"track-metadata-module="header"><span class="nRhiJb-rSCjMe-OWXEXe-UBMNlb khBwGd">Blog</span></a></div></div></div><div class="glue-header__container glue-header__stepped-nav LKvi8b" role="navigation"><div class="glue-header__stepped-nav-controls-container"><div class="glue-header__stepped-nav-controls"><div class="glue-header__stepped-nav-controls-arrow"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M16.41 5.41L15 4l-8 8 8 8 1.41-1.41L9.83 12"></path></svg><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G glue-header__stepped-nav-subnav-icon" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M7.59 18.59L9 20l8-8-8-8-1.41 1.41L14.17 12"></path></svg></div><div class="glue-header__stepped-nav-controls-title glue-header__link"></div></div></div><div class="glue-header__stepped-nav-menus"></div></div><div class="glue-header__container nRhiJb-J6KYL-OWXEXe-Q4irje"><nav class="glue-header__link-bar"><ul class="glue-header__list glue-header__list--nested glue-header__deep-nav URiJfb"><li class="glue-header__item "><a class="glue-header__link">Solutions & technology<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M5.41 7.59L4 9l8 8 8-8-1.41-1.41L12 14.17"></path></svg></a><ul class="glue-header__list NDdrcc"><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/ai-machine-learning" track-name="ai & machine learning"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/ai-machine-learning"track-metadata-module="header"><span>AI & Machine Learning</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/api-management" track-name="api management"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/api-management"track-metadata-module="header"><span>API Management</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/application-development" track-name="application development"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/application-development"track-metadata-module="header"><span>Application Development</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/application-modernization" track-name="application modernization"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/application-modernization"track-metadata-module="header"><span>Application Modernization</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/chrome-enterprise" track-name="chrome enterprise"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/chrome-enterprise"track-metadata-module="header"><span>Chrome Enterprise</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/compute" track-name="compute"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/compute"track-metadata-module="header"><span>Compute</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/containers-kubernetes" track-name="containers & kubernetes"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/containers-kubernetes"track-metadata-module="header"><span>Containers & Kubernetes</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/data-analytics" track-name="data analytics"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/data-analytics"track-metadata-module="header"><span>Data Analytics</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/databases" track-name="databases"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/databases"track-metadata-module="header"><span>Databases</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/devops-sre" track-name="devops & sre"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/devops-sre"track-metadata-module="header"><span>DevOps & SRE</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/maps-geospatial" track-name="maps & geospatial"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/maps-geospatial"track-metadata-module="header"><span>Maps & Geospatial</span></a></li><li class="glue-header__item "><a class="glue-header__link janap">Security<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M7.59 18.59L9 20l8-8-8-8-1.41 1.41L14.17 12"></path></svg></a><ul class="glue-header__list NDdrcc"><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/identity-security" track-name="security & identity"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/identity-security"track-metadata-module="header"><span>Security & Identity</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/threat-intelligence" track-name="threat intelligence"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence"track-metadata-module="header"><span>Threat Intelligence</span></a></li></ul></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/infrastructure" track-name="infrastructure"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/infrastructure"track-metadata-module="header"><span>Infrastructure</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/infrastructure-modernization" track-name="infrastructure modernization"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/infrastructure-modernization"track-metadata-module="header"><span>Infrastructure Modernization</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/networking" track-name="networking"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/networking"track-metadata-module="header"><span>Networking</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/productivity-collaboration" track-name="productivity & collaboration"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/productivity-collaboration"track-metadata-module="header"><span>Productivity & Collaboration</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/sap-google-cloud" track-name="sap on google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/sap-google-cloud"track-metadata-module="header"><span>SAP on Google Cloud</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/storage-data-transfer" track-name="storage & data transfer"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/storage-data-transfer"track-metadata-module="header"><span>Storage & Data Transfer</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/sustainability" track-name="sustainability"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/sustainability"track-metadata-module="header"><span>Sustainability</span></a></li></ul></li><li class="glue-header__item "><a class="glue-header__link">Ecosystem<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M5.41 7.59L4 9l8 8 8-8-1.41-1.41L12 14.17"></path></svg></a><ul class="glue-header__list NDdrcc"><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/transform" track-name="it leaders"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/transform"track-metadata-module="header"><span>IT Leaders</span></a></li><li class="glue-header__item "><a class="glue-header__link janap">Industries<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M7.59 18.59L9 20l8-8-8-8-1.41 1.41L14.17 12"></path></svg></a><ul class="glue-header__list NDdrcc"><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/financial-services" track-name="financial services"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/financial-services"track-metadata-module="header"><span>Financial Services</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/healthcare-life-sciences" track-name="healthcare & life sciences"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/healthcare-life-sciences"track-metadata-module="header"><span>Healthcare & Life Sciences</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/manufacturing" track-name="manufacturing"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/manufacturing"track-metadata-module="header"><span>Manufacturing</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/media-entertainment" track-name="media & entertainment"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/media-entertainment"track-metadata-module="header"><span>Media & Entertainment</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/public-sector" track-name="public sector"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/public-sector"track-metadata-module="header"><span>Public Sector</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/retail" track-name="retail"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/retail"track-metadata-module="header"><span>Retail</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/supply-chain-logistics" track-name="supply chain"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/supply-chain-logistics"track-metadata-module="header"><span>Supply Chain</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/telecommunications" track-name="telecommunications"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/telecommunications"track-metadata-module="header"><span>Telecommunications</span></a></li></ul></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/partners" track-name="partners"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/partners"track-metadata-module="header"><span>Partners</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/startups" track-name="startups & smb"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/startups"track-metadata-module="header"><span>Startups & SMB</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/training-certifications" track-name="training & certifications"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/training-certifications"track-metadata-module="header"><span>Training & Certifications</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/inside-google-cloud" track-name="inside google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/inside-google-cloud"track-metadata-module="header"><span>Inside Google Cloud</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/google-cloud-next" track-name="google cloud next & events"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/google-cloud-next"track-metadata-module="header"><span>Google Cloud Next & Events</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://mapsplatform.google.com/resources/blog/" track-name="google maps platform"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="mapsplatform.google.com/resources/blog/"track-metadata-module="header" target="_blank"><span>Google Maps Platform<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G FsOzib nRhiJb-tHaKme-AipIyc" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="m8.9 16.075 5.4-5.4v2.675h1.4V8.3h-5.05v1.4h2.65l-5.375 5.375ZM12 21.3q-1.925 0-3.625-.738-1.7-.737-2.95-1.987-1.25-1.25-1.987-2.95Q2.7 13.925 2.7 12t.738-3.625q.737-1.7 1.987-2.95 1.25-1.25 2.95-1.988Q10.075 2.7 12 2.7t3.625.737q1.7.738 2.95 1.988 1.25 1.25 1.987 2.95.738 1.7.738 3.625t-.738 3.625q-.737 1.7-1.987 2.95-1.25 1.25-2.95 1.987-1.7.738-3.625.738Z"></path></svg></span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://workspace.google.com/blog" track-name="google workspace"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="workspace.google.com/blog"track-metadata-module="header" target="_blank"><span>Google Workspace<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G FsOzib nRhiJb-tHaKme-AipIyc" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="m8.9 16.075 5.4-5.4v2.675h1.4V8.3h-5.05v1.4h2.65l-5.375 5.375ZM12 21.3q-1.925 0-3.625-.738-1.7-.737-2.95-1.987-1.25-1.25-1.987-2.95Q2.7 13.925 2.7 12t.738-3.625q.737-1.7 1.987-2.95 1.25-1.25 2.95-1.988Q10.075 2.7 12 2.7t3.625.737q1.7.738 2.95 1.988 1.25 1.25 1.987 2.95.738 1.7.738 3.625t-.738 3.625q-.737 1.7-1.987 2.95-1.25 1.25-2.95 1.987-1.7.738-3.625.738Z"></path></svg></span></a></li></ul></li><li class="glue-header__item "><a class="glue-header__link " href="https://cloud.google.com/blog/topics/developers-practitioners" track-name="developers & practitioners"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/developers-practitioners"track-metadata-module="header"><span>Developers & Practitioners</span></a></li><li class="glue-header__item "><a class="glue-header__link " href="https://cloud.google.com/transform" track-name="transform with google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/transform"track-metadata-module="header"><span>Transform with Google Cloud</span></a></li></ul></nav></div><div class="glue-header__container ca6rub nRhiJb-J6KYL-OWXEXe-SU0ZEf"><div class="nRhiJb-GUI8l"><a class="nRhiJb-LgbsSe nRhiJb-LgbsSe-OWXEXe-pSzOP-o6Shpd " href="https://cloud.google.com/contact/" track-name="contact sales"track-type="blog nav"track-metadata-eventdetail="cloud.google.com/contact/"track-metadata-module="header" track-name="contact sales"track-type="button"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/contact/">Contact sales </a><a class="nRhiJb-LgbsSe nRhiJb-LgbsSe-OWXEXe-CNusmb-o6Shpd " href="https://console.cloud.google.com/freetrial/" track-name="get started for free"track-type="blog nav"track-metadata-eventdetail="console.cloud.google.com/freetrial/"track-metadata-module="header" track-name="get started for free"track-type="button"track-metadata-position="nav"track-metadata-eventdetail="console.cloud.google.com/freetrial/">Get started for free </a></div><div class="GKI4ub"><div class="Jhiezd"><form action="/blog/search/" class="A2C6Ob"><input class="BAhdXd" jsname="oJAbI" name="query" type="text" placeholder="Find an article..."><input type="hidden" name="language" value=en hidden><input type="hidden" name="category" value=article hidden><input type="hidden" name="paginate" value="25" hidden><input type="hidden" name="order" value="newest" hidden><input type="hidden" name="hl" value=en hidden><span class="A0lwXc" jsname="D8MWrd" aria-label="Show the search input field." role="button" jsaction="click:jUF4E"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c" viewBox="0 0 24 24" role="presentation" aria-hidden="true" width="40" height="22"><path d="M20.49 19l-5.73-5.73C15.53 12.2 16 10.91 16 9.5A6.5 6.5 0 1 0 9.5 16c1.41 0 2.7-.47 3.77-1.24L19 20.49 20.49 19zM5 9.5C5 7.01 7.01 5 9.5 5S14 7.01 14 9.5 11.99 14 9.5 14 5 11.99 5 9.5z"></path></svg></span></form></div></div></div></div></div><div class="glue-header__drawer-backdrop"></div></header><script nonce="wC7T6QA8MeKpUedWZ2V6dQ">var AF_initDataKeys = ["ds:0"]; var AF_dataServiceRequests = {'ds:0' : {id:'nInjGe',request:["cloudblog","topics/threat-intelligence/unc3524-eye-spy-email","en"]}}; var AF_initDataChunkQueue = []; var AF_initDataCallback; var AF_initDataInitializeCallback; if (AF_initDataInitializeCallback) {AF_initDataInitializeCallback(AF_initDataKeys, AF_initDataChunkQueue, AF_dataServiceRequests);}if (!AF_initDataCallback) {AF_initDataCallback = function(chunk) {AF_initDataChunkQueue.push(chunk);};}</script></head><body id="yDmH0d" jscontroller="pjICDe" jsaction="rcuQ6b:npT2md; click:FAbpgf; auxclick:FAbpgf" class="tQj5Y ghyPEc IqBfM ecJEib EWZcud nRhiJb-qJTHM" data-has-header="true" data-has-footer="true"><script aria-hidden="true" nonce="wC7T6QA8MeKpUedWZ2V6dQ">window.wiz_progress&&window.wiz_progress();</script><div class="VUoKZ" aria-hidden="true"><div class="TRHLAc"></div></div><c-wiz jsrenderer="zPZHOe" class="SSPGKf" jsdata="deferred-i1" data-p="%.@."cloudblog","topics/threat-intelligence/unc3524-eye-spy-email","en"]" data-node-index="0;0" jsmodel="hc6Ubd" view c-wiz data-ogpc><div class="T4LgNb " jsname="a9kxte"><div jsname="qJTHM" class="kFwPee"><article class="nRhiJb-qJTHM" jsaction="rcuQ6b:npT2md" jscontroller="kxO7ab"><section class="nRhiJb-DARUcf"><div class="Wdmc0c nRhiJb-DbgRPb-wNfPc-cGMI2b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-BFbNVe-r8s4j-bMElCd dIsJJe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><div class="nRhiJb-ObfsIf"><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-R6PoUb"></div><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-EehZO nRhiJb-fmcmS-oXtfBe"><h1 class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-ibL1re"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-ibL1re"><span class="FewWi"></span>UNC3524: Eye Spy on Your Email</div></h1></div></div><div class="nRhiJb-fmcmS-oXtfBe dEogG">May 2, 2022</div></div></section><div class="EKklye"><div class="nRhiJb-DARUcf ZWw7T"><div class="npzWPc"><div class="dzoHJ"><div class="nRhiJb-DX2B6 nRhiJb-DX2B6-OWXEXe-h30Snd"><div class="nRhiJb-j5y3u"><ul class="nRhiJb-Qijihe phRaUe" role="list"><li class="hpHPGf"><a class="nRhiJb-ARYxNe" href="https://x.com/intent/tweet?text=UNC3524:%20Eye%20Spy%20on%20Your%20Email%20@googlecloud&url=https://cloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email" track-name="x"track-type="social share"track-metadata-eventdetail="x.com/intent/tweet?text=UNC3524: Eye Spy on Your Email%20@googlecloud&url=cloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email"track-metadata-module="social icons" target="_blank" rel="noopener"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-DX2B6 nRhiJb-Bz112c-OWXEXe-nSuQf" viewBox="0 0 24 24" role="presentation" aria-hidden="true" role="presentation" aria-hidden="true"><path d="M13.9,10.5L21.1,2h-1.7l-6.3,7.4L8,2H2.2l7.6,11.1L2.2,22h1.7l6.7-7.8L16,22h5.8L13.9,10.5L13.9,10.5z M11.5,13.2l-0.8-1.1 L4.6,3.3h2.7l5,7.1l0.8,1.1l6.5,9.2h-2.7L11.5,13.2L11.5,13.2z"></path></svg></a></li><li class="hpHPGf"><a class="nRhiJb-ARYxNe" href="https://www.linkedin.com/shareArticle?mini=true&url=https://cloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email&title=UNC3524:%20Eye%20Spy%20on%20Your%20Email" track-name="linkedin"track-type="social share"track-metadata-eventdetail="www.linkedin.com/shareArticle?mini=true&url=cloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email&title=UNC3524: Eye Spy on Your Email"track-metadata-module="social icons" target="_blank" rel="noopener"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-DX2B6 nRhiJb-Bz112c-OWXEXe-nSuQf" viewBox="0 0 24 24" role="presentation" aria-hidden="true" role="presentation" aria-hidden="true"><path d="M20 2H4c-1.1 0-1.99.9-1.99 2L2 20c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V4c0-1.1-.9-2-2-2zM8 19H5v-9h3v9zM6.5 8.31c-1 0-1.81-.81-1.81-1.81S5.5 4.69 6.5 4.69s1.81.81 1.81 1.81S7.5 8.31 6.5 8.31zM19 19h-3v-5.3c0-.83-.67-1.5-1.5-1.5s-1.5.67-1.5 1.5V19h-3v-9h3v1.2c.52-.84 1.59-1.4 2.5-1.4 1.93 0 3.5 1.57 3.5 3.5V19z"></path></svg></a></li><li class="hpHPGf"><a class="nRhiJb-ARYxNe" href="https://www.facebook.com/sharer/sharer.php?caption=UNC3524:%20Eye%20Spy%20on%20Your%20Email&u=https://cloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email" track-name="facebook"track-type="social share"track-metadata-eventdetail="www.facebook.com/sharer/sharer.php?caption=UNC3524: Eye Spy on Your Email&u=cloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email"track-metadata-module="social icons" target="_blank" rel="noopener"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-DX2B6 nRhiJb-Bz112c-OWXEXe-nSuQf" viewBox="0 0 24 24" role="presentation" aria-hidden="true" role="presentation" aria-hidden="true"><path d="M20 2H4c-1.1 0-1.99.9-1.99 2L2 20c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V4c0-1.1-.9-2-2-2zm-1 2v3h-2c-.55 0-1 .45-1 1v2h3v3h-3v7h-3v-7h-2v-3h2V7.5C13 5.57 14.57 4 16.5 4H19z"></path></svg></a></li><li class="hpHPGf"><a class="nRhiJb-ARYxNe" href="mailto:?subject=UNC3524:%20Eye%20Spy%20on%20Your%20Email&body=Check%20out%20this%20article%20on%20the%20Cloud%20Blog:%0A%0AUNC3524:%20Eye%20Spy%20on%20Your%20Email%0A%0A%0A%0Ahttps://cloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email" track-name="email"track-type="social share"track-metadata-eventdetail="mailto:?subject=UNC3524: Eye Spy on Your Email&body=Check%20out%20this%20article%20on%20the%20Cloud%20Blog:%0A%0AUNC3524: Eye Spy on Your Email%0A%0A%0A%0Acloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email"track-metadata-module="social icons" target="_blank" rel="noopener"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-DX2B6 nRhiJb-Bz112c-OWXEXe-nSuQf" viewBox="0 0 24 24" role="presentation" aria-hidden="true" role="presentation" aria-hidden="true"><path d="M20 4H4c-1.1 0-2 .9-2 2v12c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V6c0-1.1-.9-2-2-2zm-.8 2L12 10.8 4.8 6h14.4zM4 18V7.87l8 5.33 8-5.33V18H4z"></path></svg></a></li></ul></div></div></div></div></div><div><section class="nRhiJb-DARUcf"><div class="nRhiJb-DbgRPb-wNfPc-ma6Yeb nRhiJb-DbgRPb-wNfPc-cGMI2b"><section class="DA9Qj nRhiJb-ObfsIf nRhiJb-fmcmS-oXtfBe"><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf"></div><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c"><h5 class="cHE8Ub Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c">Mandiant </h5><p class="nRhiJb-qJTHM khCp7b"></p></div></section></div></section><div class="nRhiJb-DARUcf"><div class="nRhiJb-ObfsIf nRhiJb-DbgRPb-wNfPc-ma6Yeb nRhiJb-DbgRPb-qWD73c-cGMI2b"><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-ibL1re dzoHJ"></div><div class="OYL9D nRhiJb-kR0ZEf-OWXEXe-GV1x9e-OiUrBf" jsname="tx2NYc"><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Written by: Doug Bienstock, Melissa Derr, Josh Madeley, Tyler McLellan, Chris Gardner</p> <hr></span></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p><em>UPDATE (November 2022):We have merged UNC3524 with APT29.</em><em>The UNC3524 activity described in this post is now attributed to APT29.</em></p> <p>Since December 2019, Mandiant has observed advanced threat actors increase their investment in tools to facilitate bulk email collection from victim environments, especially as it relates to their support of suspected espionage objectives. Email messages and their attachments offer a rich source of information about an organization, stored in a centralized location for threat actors to collect. Most email systems, whether on-premises or in the cloud, offer programmatic methods to search and access email data across an entire organization, such as <a href="https://docs.microsoft.com/en-us/microsoft-365/compliance/ediscovery?view=o365-worldwide" rel="noopener" target="_blank">eDiscovery</a> and the <a href="https://docs.microsoft.com/en-us/graph/overview" rel="noopener" target="_blank">Graph API</a>. Mandiant has observed threat actors use <a href="https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452" rel="noopener" target="_blank">these same tools</a> to support their own collection requirements and to target the mailboxes of individuals in victim organizations.</p> <p>In this blog post, we introduce UNC3524, a newly discovered suspected espionage threat actor that, to date, heavily targets the emails of employees that focus on corporate development, mergers and acquisitions, and large corporate transactions. On the surface, their targeting of individuals involved in corporate transactions suggests a financial motivation; however, their ability to remain undetected for an order of magnitude longer than the average dwell time of 21 days in 2021, as reported in <a href="https://www.mandiant.com/resources/m-trends-2022" rel="noopener" target="_blank"><em>M-Trends 2022</em></a>, suggests an espionage mandate. Part of the group’s success at achieving such a long dwell time can be credited to their choice to install backdoors on appliances within victim environments that do not support security tools, such as anti-virus or endpoint protection. The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasize the “advanced” in Advanced Persistent Threat. UNC3524 also takes persistence seriously. Each time a victim environment removed their access, the group wasted no time re-compromising the environment with a variety of mechanisms, immediately restarting their data theft campaign. We are sharing the tools, tactics, and procedures used by UNC3524 to help organizations hunt for and protect against their operations.</p> <div> <h2>Attack Lifecycle</h2> </div> <h3>Initial Compromise and Maintain Presence</h3> <p>After gaining initial access by unknown means, UNC3524 deployed a novel backdoor tracked by Mandiant as QUIETEXIT, which is based on the open-source Dropbear SSH client-server software. For their long-haul remote access, UNC3524 opted to deploy QUIETEXIT on opaque network appliances within the victim environment; think backdoors on SAN arrays, load balancers, and wireless access point controllers. These kinds of devices don’t support antivirus or endpoint detection and response tools (EDRs), subsequently leaving the underlying operating systems to vendors to manage. These appliances are often running older versions of BSD or CentOS and would require considerable planning to compile functional malware for them. By targeting trusted systems within victim environments that do not support any type of security tooling, UNC3524 was able to remain undetected in victim environments for at least 18 months.</p> <p>QUIETEXIT works as if the traditional client-server roles in an SSH connection were reversed. Once the client, running on a compromised system, establishes a TCP connection to a server, it performs the SSH server role. The QUIETEXIT component running on the threat actor’s infrastructure initiates the SSH connection and sends a password. Once the backdoor establishes a connection, the threat actor can use any of the options available to an SSH client, including proxying traffic via SOCKS. QUIETEXIT has no persistence mechanism; however, we have observed UNC3524 install a run command (rc) as well as hijack legitimate application-specific startup scripts to enable the backdoor to execute on system startup.</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc3524-fig1_enga.max-1600x1600.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc3524-fig1_enga.max-1600x1600.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc3524-fig1_enga.max-1600x1600.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc3524-fig1_enga.max-1600x1600.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 1: How QUIETEXIT works with IoT devices</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>On startup, QUIETEXIT attempts to change its name to cron, but the malware author did not implement this correctly, so it fails. During our incident response investigations, we recovered QUIETEXIT samples that were renamed to blend in with other legitimate files on the file system. In one case with an infected node of a NAS array, UNC3524 named the binary to blend in with a suite of scripts used to mount various filesystems to the NAS.</p> <p>When run with command line arguments <code>-X -p ort</code> the malware connects to a hard-coded command and control (C2) address on the specific port. If this fails, it will attempt to connect to a second hard coded C2 if one is configured. The user can also specify a hostname or IP address on the command line in the -p argument as well, e.g. <code>-X -p ost:ort</code>.The -X command line argument is case sensitive. If the lower-case x option is used, then the malware will only attempt to connect to the C2 server once. If the upper-case X option is used, then the malware will sleep for a random number of minutes between a hard-coded time range and fork to reattempt the connection. It re-attempts the connection regardless of whether a connection has already been established. In our investigations we observed UNC3524 use C2 domains that intended to blend in with legitimate traffic originating from the infected appliances. Using the example of an infected load balancer, the C2 domains contained strings that could plausibly relate to the device vendor and branded operating system name. This level of planning demonstrates that UNC3524 understands incident response processes and tried to make their C2 traffic appear as legitimate to anyone that might scroll through DNS or session logs.</p> <p>All QUIETEXIT C2 domains that Mandiant observed used Dynamic DNS providers. Dynamic DNS allows for threat actors to update the DNS records for domains in a near seamless fashion. When the C2s where inactive, the threat actor had the domains resolve to 127.0.0.1. However, occasionally the port numbers would change or VPS infrastructure would be used rather than compromised camera botnet. We suspected that when the threat actor experienced issues accessing a victim, they would troubleshoot using new infrastructure or different ports.</p> <p>In some cases, the threat actor deployed a secondary backdoor as a means of alternate access into victim environments. This alternate access was a <a href="https://advantage.mandiant.com/malware/malware--33065e77-067e-5554-a325-86f0e95968dc" rel="noopener" target="_blank">REGEORG</a> web shell previously placed on a DMZ web server. REGEORG is a web shell that creates a SOCKS proxy, keeping with UNC3524’s preference for tunneling malware. Once inside the victim environment, the threat actor spent time to identify web servers in the victim environment and ensure they found one that was Internet accessible before copying REGEORG to it. They also took care to name the file so that it blended in with the application running on the compromised server. Mandiant also observed instances where UNC3542 used timestomping to alter the Standard Information timestamps of the REGEORG web shell to match other files in the same directory.</p> <p>UNC3542 only used these web shells when their QUIETEXIT backdoors stopped functioning and only to re-establish QUIETEXIT on another system in the network. Rather than use the public version of REGEORG published by Sensepost, UNC3542 used a still public but little-known version of the web shell that is heavily obfuscated. This allowed them to bypass common signature-based detections for REGEORG.</p> <h3>Move Laterally</h3> <p>Once UNC3524 established a foothold in the network they demonstrated a very low malware footprint and instead relied on built-in Windows protocols. During our incident response investigations, we traced most accesses to a victim appliance infected with QUIETEXIT. QUIETEXIT supports the full functionality of SSH, and our observation is consistent with UNC3524 using it to establish a SOCKS tunnel into the victim environments. By standing up a SOCKS tunnel, the threat actor effectively plugs in their machine to an ethernet jack within the victim’s network. By tunneling over SOCKS, the threat actor can execute tools to steal data from their own computer, leaving no traces of the tooling itself on victim computers.</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc3524-fig2_bmkh.max-1800x1800.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc3524-fig2_bmkh.max-1800x1800.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc3524-fig2_bmkh.max-1800x1800.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc3524-fig2_bmkh.max-1800x1800.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 2: Tunneling through QUIETEXIT</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>To perform lateral movement to systems of interest, UNC3524 used a customized version of Impacket’s <a href="https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py" rel="noopener" target="_blank">WMIEXEC</a>. WMIEXEC uses Windows Management Instrumentation to establish a semi-interactive shell on a remote host. The utility provides a semi-interactive shell by writing command outputs to a file on the remote host and then printing the output to the terminal. The default Impacket version uses a hardcoded file path and filename structure for these output files, providing a detection opportunity. Mandiant has observed UNC3524 modifying the hardcoded file path (\\127.0.0.1\ADMIN$\debug\DEBUG.LOG<u>)</u> to evade basic detections for filenames such as Impacket’s default double underscore files. We also observed the threat actor using the built-in <code>reg save</code> command to save registry hives and extract LSA secrets offline.</p> <h3>Complete Mission</h3> <p>Once UNC3524 successfully obtained privileged credentials to the victim’s mail environment, they began making Exchange Web Services (EWS) API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment. In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes, focusing their attention on executive teams and employees that work in corporate development, mergers and acquisitions, or IT security staff. It’s likely that the threat actor was targeting the IT security team as a method to determine if their operation had been detected.</p> <p>The methods that UNC3524 used to authenticate to the Exchange infrastructure evolved throughout the course of the intrusions; this may be a result of them periodically losing access due to the natural changes in corporate infrastructure or simply updating their tactics. They authenticated to Exchange using the username and password of targeted accounts, using accounts holding ApplicationImpersonation rights, or using Service Principal credentials. Each of these methods, their detections, and configuration recommendations can be found at <a href="https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452" rel="noopener" target="_blank">Mandiant's UNC2452 Microsoft 365 Hardening Guide</a>.</p> <p>Once authenticated to the exchange infrastructure, UNC3524 made a series of EWS API requests to extract mail items from the target mailbox. For each mailbox, the threat actor made a series of <code>GetFolder</code> and <code>FindFolder</code> requests that returned data describing the mailbox, such as the number of unread messages and sub-folders within the specified folder.</p> <p> </p> <pre><code><?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:t="https://schemas.microsoft.com/exchange/services/2006/types"> <soap:Header> <t:RequestServerVersion Version="Exchange2013" /> <t:ExchangeImpersonation> <t:ConnectingSID> <t:PrimarySmtpAddress>target@victimorg.com</t:PrimarySmtpAddress> </t:ConnectingSID> </t:ExchangeImpersonation> </soap:Header> <soap:Body> <GetFolder xmlns="https://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="https://schemas.microsoft.com/exchange/services/2006/types"> <FolderShape> <t:BaseShape>Default</t:BaseShape> </FolderShape> <FolderIds> <t:DistinguishedFolderId Id="Root"/> </FolderIds> </GetFolder> </soap:Body> </soap:Envelope></code></pre> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%;text-align:center"><span style="color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%">Figure 3: Sample EWS GetFolder request</span></div> </div> <p>After the enumeration of the mailbox structure, the threat actor issued a <code>FindItem</code> request with a Query Filter that selected all messages from a specific folder with a <code>DateTimeCreated</code> greater than a specific date. The date in the filter corresponded to the last time the threat actor accessed the mailbox. This meant that the threat actor would acquire all newly created items in the mailbox since the last time they had extracted data. This follows an approach that Mandiant has previously observed with APT29. Rather than target a mailbox using specific keywords, the threat actor instead extracted the entire contents over a particular date range.</p> <p> </p> <pre><code><?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="https://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="https://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="https://schemas.xmlsoap.org/soap/envelope/"> <soap:Header> <t:RequestServerVersion Version="Exchange2013" /> <t:ExchangeImpersonation> <t:ConnectingSID> <t:PrimarySmtpAddress>target@victimorg.com</t:PrimarySmtpAddress> </t:ConnectingSID> </t:ExchangeImpersonation> </soap:Header> <soap:Body> <m:FindItem Traversal="Shallow"> <m:ItemShape> <t:BaseShape>IdOnly</t:BaseShape> <t:AdditionalProperties> <t:FieldURI FieldURI="item:Subject" /> <t:FieldURI FieldURI="item:DateTimeCreated " /> </t:AdditionalProperties> </m:ItemShape> <m:IndexedPageItemView MaxEntriesReturned="100" Offset="0" BasePoint="Beginning" /> <m:Restriction> <t:IsGreaterThan> <t:FieldURI FieldURI="item:DateTimeCreated " /> <t:FieldURIOrConstant> <t:Constant Value="2022-01-01T00:00:00" /> </t:FieldURIOrConstant> </t:IsGreaterThan> </m:Restriction> <m:SortOrder> <t:FieldOrder Order="Descending"> <t:FieldURI FieldURI="item:DateTimeCreated" /> </t:FieldOrder> </m:SortOrder> <m:ParentFolderIds> <t:DistinguishedFolderId Id="inbox" /> </m:ParentFolderIds> </m:FindItem> </soap:Body> </soap:Envelope></code></pre> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%;text-align:center"><span style="color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%">Figure 4: Sample EWS FindItem request</span></div> </div> <p>Finally, the threat actor iterated through each message identifier returned in the <code>FindItem</code> response and made a <code>GetItem</code> request. The threat actor set the <code>IncludeMimeContent</code> parameter to true for the request, which resulted in Exchange returning the message in MIME format. This is important because the MIME message includes both the message body and any attachments. It is worth noting that if the messages were encrypted using PGP, SMIME, Office 365 Message Encryption (OME), or other encryption technology, then the <code>GetItem</code> response will only contain the ciphertext or in the case of OME, a link to authenticate and view the real message.</p> <p> </p> <pre><code><?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:t="https://schemas.microsoft.com/exchange/services/2006/types"> <soap:Body> <GetItem xmlns="https://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="https://schemas.microsoft.com/exchange/services/2006/types"> <ItemShape> <t:BaseShape>Default</t:BaseShape> <t:IncludeMimeContent>true</t:IncludeMimeContent> </ItemShape> <ItemIds> <t:ItemId Id="<ID OF MESSAGE>" ChangeKey="CQAAAB" /> </ItemIds> </GetItem> </soap:Body> </soap:Envelope></code></pre> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%;text-align:center"><span style="color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%">Figure 5: Sample EWS GetItem request</span></div> </div> <div> <h2>Operational Security and Infrastructure</h2> </div> <p>Throughout their operations, the threat actor demonstrated sophisticated operational security that we see only a small number of threat actors demonstrate. The threat actor evaded detection by operating from devices in the victim environment’s blind spots, including servers running uncommon versions of Linux and network appliances running opaque OSes. These devices and appliances were running versions of operating systems that were unsupported by agent-based security tools, and often had an expected level of network traffic that allowed the attackers to blend in. The threat actor’s use of the QUIETEXIT tunneler allowed them to largely live off the land, without the need to bring in additional tools, further reducing the opportunity for detection. This allowed UNC3524 to remain undetected in victim environments for, in some cases, upwards of 18 months.</p> <p>The C2 systems that Mandiant identified were primarily legacy conference room camera systems sold by LifeSize, Inc. and in one instance, a D-Link IP camera. These camera systems appeared to be infected, likely with the server component of QUIETEXIT. These cameras were directly Internet exposed, possibly through an improper UPnP configuration, and may have been running older firmware. Mandiant suspects that default credentials, rather than an exploit, were the likely mechanism used to compromise these devices and form the IoT botnet used by UNC3524. Similar to the use of embedded network devices, UNC3524 can avoid detection by operating from compromised infrastructure connected directly to the public Internet such as IP cameras where typical antivirus and security monitoring may be absent.</p> <div> <h2>Detection</h2> </div> <p>UNC3524’s use of compromised appliances makes host-based hunting and detection extremely difficult. The best opportunity for detection remains in network-based logging, specifically monitoring traffic at the layer 7 level. Mandiant recommends hunting for traffic tagged as the “SSH” application egressing environments over ports other than 22. This traffic should be relatively small, and any findings should be investigated. Organizations can also look for outbound SSH traffic originating from IP addresses that are unknown or not in asset management systems. These source systems are more likely to be appliances that aren’t centrally managed. Finally, large volumes of network traffic originating from the “management” interfaces of appliances such as NAS arrays and load balancers should be investigated as suspicious as well.</p> <p>UNC3524 targets opaque network appliances because they are often the most unsecure and unmonitored systems in a victim environment. Organizations should take steps to inventory their devices that are on the network and do not support monitoring tools. Each device likely has vendor-specific hardening actions to take to ensure that the proper logging is enabled, and logs are forwarded to a central repository. Organizations can also take steps to use network access controls to limit or completely restrict egress traffic from these devices.</p> <p>For host-based hunting, Mandiant recommends hunting for QUIETEXIT on devices using the provided grep commands. Most appliances that provide shell access should have the grep binary available.</p> <p>Find QUIETEXIT hard-coded byte string using grep:</p> <p> </p> <pre><code>Find QUIETEXIT hard-coded byte string using grep:</code></pre> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> </div> <p>Find QUIETEXIT by looking for the hard-coded password value:</p> <p> </p> <pre><code>grep '\xDD\xE5\xD5\x97\x20\x53\x27\xBF\xF0\xA2\xBA\xCD\x96\x35\x9A\xAD\x1C\x75\xEB\x47' -rs /</code></pre> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> </div> <p>Find QUIETEXIT persistence mechanisms in the appliance’s rc.local directory by looking for the command line arguments:</p> <p> </p> <pre><code>grep -e " -[Xx] -p [[:digit:]{2,6}]" -rs /etc</code></pre> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> </div> <div> <h2>Remediation and Hardening</h2> </div> <p>Mandiant has published <a href="https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452" rel="noopener" target="_blank">remediation and hardening strategies</a> for Microsoft 365.</p> <h2>Attribution</h2> <p>The methodologies Mandiant observed during UNC3524 intrusions overlapped with techniques used by multiple Russia-based espionage threat actors including both EWS impersonation and SPN credential addition. Mandiant has only observed <a href="https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor" rel="noopener" target="_blank">APT29<u> performing </u>SPN credential addition</a>; however, this technique has been reported on publicly since early 2019. The NSA has previously reported automated password spraying using Kubernetes, Exchange Exploitation, and REGEORG as <a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" rel="noopener" target="_blank">associated with APT28</a><u>.</u> While the activity reported by the NSA used TOR and commercial VPNs, UNC3524 primarily used compromised internet facing devices. One interesting aspect of UNC3524’s use of REGEORG was that it matched identically with the version publicly reported by the NSA as used by APT28. At the time of writing, Mandiant cannot conclusively link UNC3524 to an existing group currently tracked by Mandiant.</p> <h2>Acknowledgements</h2> <p>We would like to thank our incident response consultants, Managed Defense responders, and FLARE reverse engineers who enabled this research.Thanks to Kirstie Failey, Jake Nicastro, John Wolfram, Sarah Hawley and Nick Richard for technical review, and Ryan Hall and Alyssa Rahman for research contributions.</p> <div> <h2>MITRE ATT&CK</h2> </div> <p>Mandiant has observed UNC3524 use the following techniques.</p> <p> </p> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"><table> <tbody> <tr> <td style="border:1px solid #000000;padding:16px"><strong>ATT&CK Tactic Category</strong></td> <td style="border:1px solid #000000;padding:16px"><strong>Techniques</strong></td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">Defense Evasion</td> <td style="border:1px solid #000000;padding:16px">T1027: Obfuscated Files or Information</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">Discovery</td> <td style="border:1px solid #000000;padding:16px"> <p><span lang="EN-CA"> T1012: Query Registry</span></p> <p><span lang="EN-CA"> T1016: System Network Configuration Discovery</span></p> <p><span lang="EN-CA"> T1049: System Network Connections Discovery</span></p> <p><span lang="EN-CA"> T1057: Process Discovery</span></p> <p><span lang="EN-CA"> T1518: Software Discovery</span></p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">Credential Access</td> <td style="border:1px solid #000000;padding:16px"> <p>T1003.004: LSA Secrets</p> <p>T1003.006: DCSync</p> <p>T1111: Two-Factor Authentication Interception</p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">Collection</td> <td style="border:1px solid #000000;padding:16px"> <p><span lang="EN-CA"> T1114: Email Collection</span></p> <p><span lang="EN-CA"> T1114.002: Remote Email Collection</span></p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">Lateral Movement</td> <td style="border:1px solid #000000;padding:16px">T1021.004: SSH</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">Persistence</td> <td style="border:1px solid #000000;padding:16px"> <p><span lang="EN-CA"> T1037.004: RC Scripts</span></p> <p><span lang="EN-CA"> T1098.001: Additional Cloud Credentials</span></p> <p><span lang="EN-CA"> T1505.003: Web Shell</span></p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">Command and Control</td> <td style="border:1px solid #000000;padding:16px"> <p><span lang="EN-CA"> T1071: Application Layer Protocol</span></p> <p><span lang="EN-CA"> T1090.003: Multi-hop Proxy</span></p> <p><span lang="EN-CA"> T1095: Non-Application Layer Protocol</span></p> <p><span lang="EN-CA"> T1572: Protocol Tunneling</span></p> <p><span lang="EN-CA"> T1573.002: Asymmetric Cryptography</span></p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">Resource Development</td> <td style="border:1px solid #000000;padding:16px"> <p><span lang="EN-CA"> T1583.003: Virtual Private Server</span></p> <p><span lang="EN-CA"> T1584: Compromise Infrastructure</span></p> <p><span lang="EN-CA"> T1608.003: Install Digital Certificate</span></p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">Execution</td> <td style="border:1px solid #000000;padding:16px"> <p><span lang="EN-CA"> T1059.001: PowerShell</span></p> <p><span lang="EN-CA"> T1059.003: Windows Command Shell</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> <div> <h2>YARA Signatures</h2> </div> <p>Note: These rules are designed to broadly capture suspicious files and are not designed to detect a particular malware or threat.</p> <p> </p> <pre><code>rule QUIETEXIT_strings { meta: author = "Mandiant" date_created = "2022-01-13" date_modified = "2022-01-13" rev = 1 strings: $s1 = "auth-agent@openssh.com" $s2 = "auth-%.8x-%d" $s3 = "Child connection from %s:%s" $s4 = "Compiled without normal mode, can't run without -i" $s5 = "cancel-tcpip-forward" $s6 = "dropbear_prng" $s7 = "cron" condition: uint32be(0) == 0x7F454C46 and filesize < 2MB and all of them }</code></pre> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> </div> <pre><code>rule REGEORG_Tuneller_generic { meta: author = "Mandiant" date_created = "2021-12-20" date_modified = "2021-12-20" md5 = "ba22992ce835dadcd06bff4ab7b162f9" strings: $s1 = "System.Net.IPEndPoint" $s2 = "Response.AddHeader" $s3 = "Request.InputStream.Read" $s4 = "Request.Headers.Get" $s5 = "Response.Write" $s6 = "System.Buffer.BlockCopy" $s7 = "Response.BinaryWrite" $s8 = "SocketException soex" condition: filesize < 1MB and 7 of them }</code></pre> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> </div> <pre><code>rule UNC3524_sha1 { meta: author = "Mandiant" date_created = "2022-01-19" date_modified = "2022-01-19" strings: $h1 = { DD E5 D5 97 20 53 27 BF F0 A2 BA CD 96 35 9A AD 1C 75 EB 47 } condition: uint32be(0) == 0x7F454C46 and filesize < 10MB and all of them }</code></pre> <h2>Indicators</h2> <p> </p> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"><table> <tbody> <tr> <td style="border:1px solid #000000;padding:16px"><strong>MALWARE FAMILY</strong></td> <td style="border:1px solid #000000;padding:16px"><strong>Indicator</strong></td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">QUIETEXIT Dynamic DNS</td> <td style="border:1px solid #000000;padding:16px">cloudns.asia<br>dynu.net<br>mywire.org<br>webredirect.org</td> </tr> </tbody> </table></div> </div> </div> </div> </div> <p> </p> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"><table> <tbody> <tr> <td style="border:1px solid #000000;padding:16px"><strong>MALWARE FAMILY</strong></td> <td style="border:1px solid #000000;padding:16px"><strong>MD5</strong></td> <td style="border:1px solid #000000;padding:16px"><strong>SHA1</strong></td> <td style="border:1px solid #000000;padding:16px"><strong>SHA256</strong></td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">REGEORG GitHub version</td> <td style="border:1px solid #000000;padding:16px">ba22992ce835dadcd06bff4ab7b162f9</td> <td style="border:1px solid #000000;padding:16px">3d4dcc859c6ca7e5b36483ad84c9ceef34973f9a</td> <td style="border:1px solid #000000;padding:16px">7b5e3c1c06d82b3e7309C258dfbd4bfcd476c8ffcb4cebda76146145502a5997</td> </tr> </tbody> </table></div> </div> </div> </div> </div></span></section><section class="kcBhad"><section class="Fabbec"><span class="WrMNjb">Posted in</span><ul class="FzXI4e"><li class="I4B51b"><a href="https://cloud.google.com/blog/topics/threat-intelligence" track-metadata-position="body"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence"track-metadata-module="tag list"track-metadata-module_headline="posted in">Threat Intelligence</a></li><li class="I4B51b"><a href="https://cloud.google.com/blog/products/identity-security" track-metadata-position="body"track-metadata-eventdetail="cloud.google.com/blog/products/identity-security"track-metadata-module="tag list"track-metadata-module_headline="posted in">Security & Identity</a></li></ul></section></section></div></div></div></div></div><section class="nRhiJb-DARUcf " track-metadata-module="related articles" track-metadata-module_headline="related articles"><div class="nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-DbgRPb-wNfPc-cGMI2b"><h5 class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc nRhiJb-DbgRPb-II5mzb-cGMI2b">Related articles</h5><section class="m9cUGf HGev3 nJD2Qe nRhiJb-ObfsIf"><div class=" QaGyvd nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c-V2iZpe"><div class="mA0uBe"><a href="https://cloud.google.com/blog/topics/threat-intelligence/glassbridge-pro-prc-influence-operations" class="lD2oe" track-name="seeing through a glassbridge: understanding the digital marketing ecosystem spreading pro-prc influence operations"track-type="card"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence/glassbridge-pro-prc-influence-operations"><div class="AhkbS "><div class="hqnDEf"><section class="PBkdHd "><img class=" D5RK8d" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" loading="lazy"/></section></div><div class="JUOx5b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-BFbNVe-r8s4j-bMElCd FI6Gl nRhiJb-fmcmS-oXtfBe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><h3 class="Qwf2Db-MnozTc HGFKtc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc">Seeing Through a GLASSBRIDGE: Understanding the Digital Marketing Ecosystem Spreading Pro-PRC Influence Operations</h3><p class="nRhiJb-cHYyed dTIXyb nRhiJb-DbgRPb-R6PoUb-ma6Yeb">By Google Threat Intelligence Group • 6-minute read</p></div></div></a></div></div><div class=" QaGyvd nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c-V2iZpe"><div class="mA0uBe"><a href="https://cloud.google.com/blog/topics/threat-intelligence/gemini-malware-analysis-code-interpreter-threat-intelligence" class="lD2oe" track-name="empowering gemini for malware analysis with code interpreter and google threat intelligence"track-type="card"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence/gemini-malware-analysis-code-interpreter-threat-intelligence"><div class="AhkbS "><div class="hqnDEf"><section class="PBkdHd "><img class=" D5RK8d" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" loading="lazy"/></section></div><div class="JUOx5b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-BFbNVe-r8s4j-bMElCd FI6Gl nRhiJb-fmcmS-oXtfBe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><h3 class="Qwf2Db-MnozTc HGFKtc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc">Empowering Gemini for Malware Analysis with Code Interpreter and Google Threat Intelligence</h3><p class="nRhiJb-cHYyed dTIXyb nRhiJb-DbgRPb-R6PoUb-ma6Yeb">By Bernardo Quintero • 6-minute read</p></div></div></a></div></div><div class=" QaGyvd nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c-V2iZpe"><div class="mA0uBe"><a href="https://cloud.google.com/blog/topics/threat-intelligence/ai-enhancing-your-adversarial-emulation" class="lD2oe" track-name="pirates in the data sea: ai enhancing your adversarial emulation"track-type="card"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence/ai-enhancing-your-adversarial-emulation"><div class="AhkbS "><div class="hqnDEf"><section class="PBkdHd "><img class=" D5RK8d" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" loading="lazy"/></section></div><div class="JUOx5b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-BFbNVe-r8s4j-bMElCd FI6Gl nRhiJb-fmcmS-oXtfBe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><h3 class="Qwf2Db-MnozTc HGFKtc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc">Pirates in the Data Sea: AI Enhancing Your Adversarial Emulation</h3><p class="nRhiJb-cHYyed dTIXyb nRhiJb-DbgRPb-R6PoUb-ma6Yeb">By Mandiant • 25-minute read</p></div></div></a></div></div><div class=" QaGyvd nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c-V2iZpe"><div class="mA0uBe"><a href="https://cloud.google.com/blog/topics/threat-intelligence/cybersecurity-forecast-2025" class="lD2oe" track-name="emerging threats: cybersecurity forecast 2025"track-type="card"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence/cybersecurity-forecast-2025"><div class="AhkbS "><div class="hqnDEf"><section class="PBkdHd "><img class=" D5RK8d" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" loading="lazy"/></section></div><div class="JUOx5b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-BFbNVe-r8s4j-bMElCd FI6Gl nRhiJb-fmcmS-oXtfBe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><h3 class="Qwf2Db-MnozTc HGFKtc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc">Emerging Threats: Cybersecurity Forecast 2025</h3><p class="nRhiJb-cHYyed dTIXyb nRhiJb-DbgRPb-R6PoUb-ma6Yeb">By Adam Greenberg • 3-minute read</p></div></div></a></div></div></section></div></section></article></div></div><c-data id="i1" jsdata=" n2jFB;_;1"></c-data></c-wiz><script aria-hidden="true" nonce="wC7T6QA8MeKpUedWZ2V6dQ">window.wiz_progress&&window.wiz_progress();window.wiz_tick&&window.wiz_tick('zPZHOe');</script><script nonce="wC7T6QA8MeKpUedWZ2V6dQ">(function(){'use strict';var c=window,d=[];c.aft_counter=d;var e=[],f=0;function _recordIsAboveFold(a){if(!c._isLazyImage(a)&&!a.hasAttribute("data-noaft")&&a.src){var b=(c._isVisible||function(){})(c.document,a);a.setAttribute("data-atf",b);b&&(e.indexOf(a)!==-1||d.indexOf(a)!==-1||a.complete||d.push(a),a.hasAttribute("data-iml")&&(a=Number(a.getAttribute("data-iml")),a>f&&(f=a)))}} c.initAft=function(){f=0;e=Array.prototype.slice.call(document.getElementsByTagName("img")).filter(function(a){return!!a.getAttribute("data-iml")});[].forEach.call(document.getElementsByTagName("img"),function(a){try{_recordIsAboveFold(a)}catch(b){throw b.message=a.hasAttribute("data-iid")?b.message+"\nrecordIsAboveFold error for defer inlined image":b.message+("\nrecordIsAboveFold error for img element with <src: "+a.src+">"),b;}});if(d.length===0)c.onaft(f)};}).call(this); initAft()</script><script id="_ij" nonce="wC7T6QA8MeKpUedWZ2V6dQ">window.IJ_values = [[null,null,"",false,null,null,true,false],'0','https:\/\/cloud.google.com\/blog\/',["cloudblog","topics/threat-intelligence/unc3524-eye-spy-email",["en","de","fr","ko","ja"],"en",null,"https://cloud.google.com/blog","blog_article","cloud.google.com",["https://console.cloud.google.com/freetrial/","https://cloud.google.com/contact/","https://cloud.google.com/","https://cloud.google.com/blog","https://cloud.google.com/","https://www.google.com/","https://cloud.google.com/products/","https://about.google.com/products/","https://about.google/intl/en/","https://support.google.com"],["googlecloud","googlecloud","showcase/google-cloud","googlecloud/","googlecloud/"],true], null ,'boq_cloudx-web-blog-uiserver_20241121.08_p0','cloud.google.com',["SG",1],[[["bigquery_ftv",["bigquery_ftv",[["control",["control",[97716263,97716264],["/bigquery"]]],["variantA",["variantA",[97716265,97716266],["/bigquery"]]],["variantB",["variantB",[97716267,97716268],["/bigquery"]]],["variantC",["variantC",[97716269,97716270],["/bigquery"]]]]]],["jss",["jss",[["control",["control",[93803230,93804391],["/products/ai","/products/compute","/solutions/web-hosting"]]],["variantA",["variantA",[93803231,93804392],["/products/ai","/products/compute","/solutions/web-hosting"]]],["variantB",["variantB",[93803232,93804393],["/products/ai","/products/compute","/solutions/web-hosting"]]],["variantC",["variantC",[93803233,93804394],["/products/ai","/products/compute","/solutions/web-hosting"]]]]]]]], 0.0 ,["GTM-5CVQBG",[["en","\u202aEnglish\u202c",true,"en"],["de","\u202aDeutsch\u202c",true,"de"],["es","\u202aEspañol\u202c",true,"es"],["es-419","\u202aEspañol (Latinoamérica)\u202c",true,"es-419"],["fr","\u202aFrançais\u202c",true,"fr"],["id","\u202aIndonesia\u202c",true,"id"],["it","\u202aItaliano\u202c",true,"it"],["pt-BR","\u202aPortuguês (Brasil)\u202c",true,"pt-BR"],["zh-CN","\u202a简体中文\u202c",true,"zh-Hans"],["zh-TW","\u202a繁體中文\u202c",true,"zh-Hant"],["ja","\u202a日本語\u202c",true,"ja"],["ko","\u202a한국어\u202c",true,"ko"]],["83405","AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg"],"en",null,null,[],[["https://cloud.google.com/innovators","https://cloud.google.com/innovators/plus/activate","https://cloud.google.com/innovators/innovatorsplus"],["https://workspace.google.com/pricing","https://www.x.com/googleworkspace","https://www.facebook.com/googleworkspace","https://www.youtube.com/channel/UCBmwzQnSoj9b6HzNmFrg_yw","https://www.instagram.com/googleworkspace","https://www.linkedin.com/showcase/googleworkspace","https://about.google/?utm_source\u003dworkspace.google.com\u0026utm_medium\u003dreferral\u0026utm_campaign\u003dgsuite-footer-en","https://about.google/products/?tip\u003dexplore","https://workspace.google.com","https://workspace.google.com/contact/?source\u003dgafb-form-globalnav-en","https://workspace.google.com/business/signup/welcome?hl\u003den\u0026source\u003dgafb-form-globalnav-en","https://workspace.google.com/blog"],["https://www.cloudskillsboost.google","https://www.cloudskillsboost.google?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreen","https://www.cloudskillsboost.google/subscriptions?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreenlaunchpromo","https://www.cloudskillsboost.google/subscriptions?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreen","https://www.cloudskillsboost.google/catalog?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreen","https://www.cloudskillsboost.google/paths?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreen"],["https://mapsplatform.google.com"],["https://cloud.google.com/developers","https://cloud.google.com/developers/settings?utm_source\u003dinnovators"],["https://console.cloud.google.com/freetrial","https://console.cloud.google.com/","https://console.cloud.google.com/freetrial?redirectPath\u003dhttps://cloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email/"],["https://aitestkitchen.withgoogle.com/signup","https://blog.google/technology/ai/join-us-in-the-ai-test-kitchen/","https://cloud.google.com/ai"],["https://googlecloudplatform.blogspot.com/","https://github.com/GoogleCloudPlatform","https://www.linkedin.com/company/google-cloud","https://twitter.com/GoogleCloud_sg","https://www.facebook.com/googlecloud","https://www.youtube.com/GoogleCloudAPAC"]],[2024,11,23],[["en","x-default"],"x-default"],[null,true],null,"/blog/topics/threat-intelligence/unc3524-eye-spy-email/?hl\u003den",["6LcsrxUqAAAAAFhpR1lXsPN2j2nsTwy6JTbRKzJr"]],[],'','wC7T6QA8MeKpUedWZ2V6dQ','etUnG2Qk0TfHJILls3CMbQ','DEFAULT','\/blog', 2024.0 ,'https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/unc3524-eye-spy-email\/', null ,'ltr', false ,'https:\/\/accounts.google.com\/AccountChooser?continue\x3dhttps:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/unc3524-eye-spy-email\/\x26hl\x3den-US','https:\/\/accounts.google.com\/ServiceLogin?hl\x3den-US\x26continue\x3dhttps:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/unc3524-eye-spy-email\/','https:\/\/accounts.google.com\/SignOutOptions?continue\x3dhttps:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/unc3524-eye-spy-email\/',[[[1]]], false , false , false ,'en','en-US','en_US','https:\/\/goto2.corp.google.com\/mdtredirect?data_id_filter\x3dcloud.google.com\x26system_name\x3dcloudx-web-blog-uiserver', null , null ,'https:\/\/myaccount.google.com\/privacypolicy?hl\x3den-US', false , null ,'https:\/\/www.gstatic.com\/_\/boq-cloudx-web-blog\/_\/r\/','https:\/\/myaccount.google.com\/termsofservice?hl\x3den-US',[[[["Solutions \u0026 technology",null,[[["AI \u0026 Machine Learning","/blog/products/ai-machine-learning"],["API Management","/blog/products/api-management"],["Application Development","/blog/products/application-development"],["Application Modernization","/blog/products/application-modernization"],["Chrome Enterprise","/blog/products/chrome-enterprise"],["Compute","/blog/products/compute"],["Containers \u0026 Kubernetes","/blog/products/containers-kubernetes"],["Data Analytics","/blog/products/data-analytics"],["Databases","/blog/products/databases"],["DevOps \u0026 SRE","/blog/products/devops-sre"],["Maps \u0026 Geospatial","/blog/topics/maps-geospatial"],["Security",null,[[["Security \u0026 Identity","/blog/products/identity-security"],["Threat Intelligence","/blog/topics/threat-intelligence"]]]],["Infrastructure","/blog/products/infrastructure"],["Infrastructure Modernization","/blog/products/infrastructure-modernization"],["Networking","/blog/products/networking"],["Productivity \u0026 Collaboration","/blog/products/productivity-collaboration"],["SAP on Google Cloud","/blog/products/sap-google-cloud"],["Storage \u0026 Data Transfer","/blog/products/storage-data-transfer"],["Sustainability","/blog/topics/sustainability"]]]],["Ecosystem",null,[[["IT Leaders","/transform"],["Industries",null,[[["Financial Services","/blog/topics/financial-services"],["Healthcare \u0026 Life Sciences","/blog/topics/healthcare-life-sciences"],["Manufacturing","/blog/topics/manufacturing"],["Media \u0026 Entertainment","/blog/products/media-entertainment"],["Public Sector","/blog/topics/public-sector"],["Retail","/blog/topics/retail"],["Supply Chain","/blog/topics/supply-chain-logistics"],["Telecommunications","/blog/topics/telecommunications"]]]],["Partners","/blog/topics/partners"],["Startups \u0026 SMB","/blog/topics/startups"],["Training \u0026 Certifications","/blog/topics/training-certifications"],["Inside Google Cloud","/blog/topics/inside-google-cloud"],["Google Cloud Next \u0026 Events","/blog/topics/google-cloud-next"],["Google Maps Platform","https://mapsplatform.google.com/resources/blog/"],["Google Workspace","https://workspace.google.com/blog"]]]],["Developers \u0026 Practitioners","/blog/topics/developers-practitioners"],["Transform with Google Cloud","/transform"]]],[["de",[[["Neuigkeiten","/blog/de/topics/whats-new/aktuelles-auf-dem-google-cloud-blog"],["Lösungen \u0026 Technologien",null,[[["Anwendungsentwicklung","/blog/de/products/application-development"],["Anwendungsmodernisierung","/blog/de/products/anwendungsmodernisierung"],["API-Verwaltung","/blog/de/products/api-management"],["Chrome Enterprise","/blog/de/products/chrome-enterprise"],["Computing","/blog/de/products/compute"],["Containers \u0026 Kubernetes","/blog/de/products/containers-kubernetes"],["Datenanalysen","/blog/de/products/data-analytics"],["Datenbanken","/blog/de/products/databases"],["DevOps \u0026 SRE","/blog/de/products/devops-sre"],["Infrastruktur","/blog/de/products/infrastructure"],["KI \u0026 Machine Learning","/blog/de/products/ai-machine-learning"],["Maps \u0026 Geospatial","/blog/de/topics/maps-geospatial"],["Modernisierung der Infrastruktur","/blog/de/products/modernisierung-der-infrastruktur"],["Nachhaltigkeit","/blog/de/topics/nachhaltigkeit"],["Netzwerk","/blog/de/products/networking"],["Produktivität und Zusammenarbeit","/blog/de/products/produktivitaet-und-kollaboration"],["SAP in Google Cloud","/blog/de/products/sap-google-cloud"],["Sicherheit \u0026 Identität","/blog/de/products/identity-security"],["Speicher und Datentransfer","/blog/de/products/storage-data-transfer"]]]],["Ökosystem",null,[[["IT Leader","/transform/de"],["Industrien",null,[[["Behörden und öffentlicher Sektor","/blog/de/topics/public-sector"],["Einzelhandel","/blog/de/topics/retail"],["Fertigung","/blog/de/topics/fertigung"],["Finanzdienstleistungen","/blog/de/topics/financial-services"],["Gesundheitswesen und Biowissenschaften","/blog/de/topics/healthcare-life-sciences"],["Lieferkette und Logistik","/blog/de/topics/lieferkette-und-logistik"],["Medien und Unterhaltung","/blog/de/products/media-entertainment"],["Telekommunikation","/blog/de/topics/telecommunications"]]]],["Entwickler*innen \u0026 Fachkräfte","/blog/de/topics/developers-practitioners"],["Google Cloud Next \u0026 Events","/blog/de/topics/events"],["Google Maps Platform","/blog/de/products/maps-platform"],["Google Workspace","https://workspace.google.com/blog/de"],["Inside Google Cloud","/blog/de/topics/inside-google-cloud"],["Kunden","/blog/de/topics/kunden"],["Partner","/blog/de/topics/partners"],["Start-ups und KMU","/blog/de/topics/startups"],["Training und Zertifizierung","/blog/de/topics/training-certifications"]]]],["Transformation mit Google Cloud","/transform/de"]]]],["en",[[["Solutions \u0026 technology",null,[[["AI \u0026 Machine Learning","/blog/products/ai-machine-learning"],["API Management","/blog/products/api-management"],["Application Development","/blog/products/application-development"],["Application Modernization","/blog/products/application-modernization"],["Chrome Enterprise","/blog/products/chrome-enterprise"],["Compute","/blog/products/compute"],["Containers \u0026 Kubernetes","/blog/products/containers-kubernetes"],["Data Analytics","/blog/products/data-analytics"],["Databases","/blog/products/databases"],["DevOps \u0026 SRE","/blog/products/devops-sre"],["Maps \u0026 Geospatial","/blog/topics/maps-geospatial"],["Security",null,[[["Security \u0026 Identity","/blog/products/identity-security"],["Threat Intelligence","/blog/topics/threat-intelligence"]]]],["Infrastructure","/blog/products/infrastructure"],["Infrastructure Modernization","/blog/products/infrastructure-modernization"],["Networking","/blog/products/networking"],["Productivity \u0026 Collaboration","/blog/products/productivity-collaboration"],["SAP on Google Cloud","/blog/products/sap-google-cloud"],["Storage \u0026 Data Transfer","/blog/products/storage-data-transfer"],["Sustainability","/blog/topics/sustainability"]]]],["Ecosystem",null,[[["IT Leaders","/transform"],["Industries",null,[[["Financial Services","/blog/topics/financial-services"],["Healthcare \u0026 Life Sciences","/blog/topics/healthcare-life-sciences"],["Manufacturing","/blog/topics/manufacturing"],["Media \u0026 Entertainment","/blog/products/media-entertainment"],["Public Sector","/blog/topics/public-sector"],["Retail","/blog/topics/retail"],["Supply Chain","/blog/topics/supply-chain-logistics"],["Telecommunications","/blog/topics/telecommunications"]]]],["Partners","/blog/topics/partners"],["Startups \u0026 SMB","/blog/topics/startups"],["Training \u0026 Certifications","/blog/topics/training-certifications"],["Inside Google Cloud","/blog/topics/inside-google-cloud"],["Google Cloud Next \u0026 Events","/blog/topics/google-cloud-next"],["Google Maps Platform","https://mapsplatform.google.com/resources/blog/"],["Google Workspace","https://workspace.google.com/blog"]]]],["Developers \u0026 Practitioners","/blog/topics/developers-practitioners"],["Transform with Google Cloud","/transform"]]]],["fr",[[["Les tendances","/blog/fr/topics/les-tendances/quelles-sont-les-nouveautes-de-google-cloud"],["Solutions et Technologie",null,[[["Analyse de données","/blog/fr/products/analyse-de-donnees/"],["Bases de données","/blog/fr/products/databases"],["Calcul","/blog/fr/products/calcul/"],["Chrome Entreprise","/blog/fr/products/chrome-enterprise/"],["Conteneurs et Kubernetes","/blog/fr/products/conteneurs-et-kubernetes/"],["Développement d'Applications","/blog/fr/products/application-development"],["Développement durable","/blog/fr/topics/developpement-durable"],["DevOps et ingénierie SRE","/blog/fr/products/devops-sre"],["Gestion des API","/blog/fr/products/api-management"],["IA et Machine Learning","/blog/fr/products/ai-machine-learning"],["Infrastructure","/blog/fr/products/infrastructure"],["Maps et Géospatial","/blog/fr/topics/maps-geospatial"],["Modernisation d'Applications","/blog/fr/products/modernisation-dapplications/"],["Modernisation d'Infrastructure","/blog/fr/products/modernisation-dinfrastructure/"],["Networking","/blog/fr/products/networking"],["Productivité et Collaboration","/blog/fr/products/productivite-et-collaboration"],["SAP sur Google Cloud","/blog/fr/products/sap-google-cloud"],["Sécurité et Identité","/blog/fr/products/identity-security"],["Stockage et transfert de données","/blog/fr/products/storage-data-transfer"]]]],["Écosystème",null,[[["Responsables IT","/transform/fr"],["Industries",null,[[["Commerce","/blog/fr/topics/retail"],["Manufacturing","/blog/fr/topics/manufacturing"],["Médias et Divertissement","/blog/fr/products/media-entertainment"],["Santé","/blog/fr/topics/healthcare-life-sciences"],["Secteur Public","/blog/fr/topics/public-sector"],["Services Financiers","/blog/fr/topics/financial-services"],["Supply Chain","/blog/fr/topics/supply-chain/"],["Telecommunications","/blog/fr/topics/telecommunications"]]]],["Clients","/blog/fr/topics/clients/"],["Développeurs et professionnels","/blog/fr/topics/developers-practitioners"],["Formations et certifications","/blog/fr/topics/training-certifications"],["Google Cloud Next et Événements","/blog/fr/topics/evenements"],["Google Maps Platform","/blog/fr/products/maps-platform"],["Google Workspace","https://workspace.google.com/blog/fr"],["Inside Google Cloud","/blog/fr/topics/inside-google-cloud"],["Partenaires","/blog/fr/topics/partners"],["Start-ups et PME","/blog/fr/topics/startups"]]]],["Transformer avec Google Cloud","/transform/fr"]]]],["ja",[[["ソリューションとテクノロジー",null,[[["AI \u0026 機械学習","/blog/ja/products/ai-machine-learning"],["API 管理","/blog/ja/products/api-management"],["アプリケーション開発","/blog/ja/products/application-development"],["アプリケーションモダナイゼーション","/blog/ja/products/application-modernization"],["Chrome Enterprise","/blog/ja/products/chrome-enterprise"],["コンピューティング","/blog/ja/products/compute"],["Containers \u0026 Kubernetes","/blog/ja/products/containers-kubernetes"],["データ分析","/blog/ja/products/data-analytics"],["データベース","/blog/ja/products/databases"],["DevOps \u0026 SRE","/blog/ja/products/devops-sre"],["Maps \u0026 Geospatial","/blog/ja/products/maps-platform"],["セキュリティ",null,[[["セキュリティ \u0026 アイデンティティ","/blog/ja/products/identity-security"],["脅威インテリジェンス","/blog/ja/topics/threat-intelligence"]]]],["インフラストラクチャ","/blog/ja/products/infrastructure"],["インフラモダナイゼーション","/blog/ja/products/infrastructure-modernization"],["ネットワーキング","/blog/ja/products/networking"],["生産性とコラボレーション","/blog/ja/products/productivity-collaboration"],["Google Cloud での SAP","/blog/ja/products/sap-google-cloud"],["ストレージとデータ転送","/blog/ja/products/storage-data-transfer"],["サステナビリティ","/blog/ja/topics/sustainability"]]]],["エコシステム",null,[[["ITリーダー","/transform/ja"],["業種",null,[[["金融サービス","/blog/ja/topics/financial-services"],["ヘルスケア、ライフサイエンス","/blog/ja/topics/healthcare-life-sciences"],["製造","/blog/ja/topics/manufacturing"],["メディア、エンターテイメント","/blog/ja/products/media-entertainment"],["公共部門","/blog/ja/topics/public-sector"],["小売業","/blog/ja/topics/retail"],["サプライチェーン","/blog/ja/topics/supply-chain-logistics"],["通信","/blog/ja/topics/telecommunications"]]]],["顧客事例","/blog/ja/topics/customers"],["パートナー","/blog/ja/topics/partners"],["スタートアップ \u0026 SMB","/blog/ja/topics/startups"],["トレーニングと認定","/blog/ja/topics/training-certifications"],["Inside Google Cloud","/blog/ja/topics/inside-google-cloud"],["Google Cloud Next とイベント","/blog/ja/topics/google-cloud-next"],["Google Maps Platform","/blog/ja/products/maps-platform"],["Google Workspace","https://workspace.google.com/blog/ja"]]]],["デベロッパー","/blog/ja/topics/developers-practitioners"],["Transform with Google Cloud","/transform/ja"]]]],["ko",[[["솔루션 및 기술",null,[[["AI 및 머신러닝","/blog/ko/products/ai-machine-learning"],["API 관리","/blog/ko/products/api-management"],["애플리케이션 개발","/blog/ko/products/application-development"],["애플리케이션 현대화","/blog/ko/products/application-modernization"],["Chrome Enterprise","/blog/products/chrome-enterprise"],["컴퓨팅","/blog/ko/products/compute"],["컨테이너 \u0026 Kubernetes","/blog/ko/products/containers-kubernetes"],["데이터 분석","/blog/ko/products/data-analytics"],["데이터베이스","/blog/ko/products/databases"],["DevOps 및 SRE","/blog/ko/products/devops-sre"],["Maps \u0026 Geospatial","/blog/ko/products/maps-platform"],["보안",null,[[["보안 \u0026 아이덴티티","/blog/ko/products/identity-security"],["위협 인텔리전스","/blog/ko/topics/threat-intelligence"]]]],["인프라","/blog/ko/products/infrastructure"],["Infrastructure Modernization","/blog/ko/products/infrastructure-modernization"],["네트워킹","/blog/ko/products/networking"],["생산성 및 공동작업","/blog/ko/products/productivity-collaboration"],["SAP on Google Cloud","/blog/ko/products/sap-google-cloud"],["스토리지 및 데이터 전송","/blog/ko/products/storage-data-transfer"],["지속가능성","/blog/ko/topics/sustainability"]]]],["에코시스템",null,[[["IT Leaders","/transform/ko"],["업종",null,[[["금융 서비스","/blog/ko/topics/financial-services"],["의료 및 생명과학","/blog/ko/topics/healthcare-life-sciences"],["제조업","/blog/ko/topics/manufacturing"],["미디어 및 엔터테인먼트","/blog/ko/products/media-entertainment"],["공공부문","/blog/ko/topics/public-sector"],["소매업","/blog/ko/topics/retail"],["공급망","/blog/topics/supply-chain-logistics"],["통신","/blog/ko/topics/telecommunications"]]]],["고객 사례","/blog/ko/topics/customers"],["파트너","/blog/ko/topics/partners"],["스타트업 \u0026 SMB","/blog/ko/topics/startups"],["교육 \u0026 인증","/blog/ko/topics/training-certifications"],["Inside Google Cloud","/blog/ko/topics/inside-google-cloud"],["Google Cloud Next 및 이벤트","/blog/ko/topics/google-cloud-next"],["Google Maps Platform","/blog/ko/products/maps-platform"],["Google Workspace","https://workspace.google.com/blog/ko"]]]],["개발 및 IT운영","/blog/ko/topics/developers-practitioners"],["Google Cloud와 함께 하는 디지털 혁신","/transform/ko"]]]]]],'cloud.google.com','https', null , false , null ,[[97442199,1714246,97785988,97863043,93778619,93874004,48554503,1706538,48897392,97684535,97535270,97656899,97863170,97517172,48887082,48830069,97716263,48489822,97442181,97785970,93873986,97684517,97656881,97517154,48887064],null,null,null,null,true],]; window.IJ_valuesCb && window.IJ_valuesCb();</script><script class="ds:0" nonce="wC7T6QA8MeKpUedWZ2V6dQ">AF_initDataCallback({key: 'ds:0', hash: '1', data:[["UNC3524: Eye Spy on Your Email | Mandiant",null,[1651467600],"https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplif.max-2600x2600.png","https://cloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email",[1711401819,580249000]],[["Mandiant "]],[null,"\u003cscript type\u003d\"application/ld+json\"\u003e{\"@context\":\"https://schema.org\",\"@type\":\"BlogPosting\",\"@id\":\"https://cloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email\",\"headline\":\"UNC3524: Eye Spy on Your Email | Mandiant\",\"description\":\"\",\"image\":\"https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplif.max-2600x2600.png\",\"author\":[{\"@type\":\"Person\",\"name\":\"Mandiant \",\"url\":\"\"}],\"datePublished\":\"2022-05-02\",\"publisher\":{\"@type\":\"Organization\",\"name\":\"Google Cloud\",\"logo\":{\"@type\":\"ImageObject\",\"url\":\"https://www.gstatic.com/devrel-devsite/prod/v8bb8fa0afe9a8c3a776ebeb25d421bb443344d789b3607754dfabea418b8c4be/cloud/images/cloud-logo.svg\"}},\"url\":\"https://cloud.google.com/blog/topics/threat-intelligence/unc3524-eye-spy-email\",\"keywords\":[\"Threat Intelligence\",\"Security \\u0026 Identity\"],\"timeRequired\":\"PT14M\"}\u003c/script\u003e"],["UNC3524: Eye Spy on Your Email"],null,null,[[null,null,[null,[null,"\u003cp\u003eWritten by: Doug Bienstock, Melissa Derr, Josh Madeley, Tyler McLellan, Chris Gardner\u003c/p\u003e\n\u003chr\u003e"]]],[null,null,[null,[null,"\u003cp\u003e\u003cem\u003eUPDATE (November 2022):We have merged UNC3524 with APT29.\u003c/em\u003e\u003cem\u003eThe UNC3524 activity described in this post is now attributed to APT29.\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eSince December 2019, Mandiant has observed advanced threat actors increase their investment in tools to facilitate bulk email collection from victim environments, especially as it relates to their support of suspected espionage objectives. Email messages and their attachments offer a rich source of information about an organization, stored in a centralized location for threat actors to collect. Most email systems, whether on-premises or in the cloud, offer programmatic methods to search and access email data across an entire organization, such as \u003ca href\u003d\"https://docs.microsoft.com/en-us/microsoft-365/compliance/ediscovery?view\u003do365-worldwide\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eeDiscovery\u003c/a\u003e and the \u003ca href\u003d\"https://docs.microsoft.com/en-us/graph/overview\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eGraph API\u003c/a\u003e. Mandiant has observed threat actors use \u003ca href\u003d\"https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003ethese same tools\u003c/a\u003e to support their own collection requirements and to target the mailboxes of individuals in victim organizations.\u003c/p\u003e\n\u003cp\u003eIn this blog post, we introduce UNC3524, a newly discovered suspected espionage threat actor that, to date, heavily targets the emails of employees that focus on corporate development, mergers and acquisitions, and large corporate transactions. On the surface, their targeting of individuals involved in corporate transactions suggests a financial motivation; however, their ability to remain undetected for an order of magnitude longer than the average dwell time of 21 days in 2021, as reported in \u003ca href\u003d\"https://www.mandiant.com/resources/m-trends-2022\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003e\u003cem\u003eM-Trends 2022\u003c/em\u003e\u003c/a\u003e, suggests an espionage mandate. Part of the group\u2019s success at achieving such a long dwell time can be credited to their choice to install backdoors on appliances within victim environments that do not support security tools, such as anti-virus or endpoint protection. The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasize the \u201cadvanced\u201d in Advanced Persistent Threat. UNC3524 also takes persistence seriously. Each time a victim environment removed their access, the group wasted no time re-compromising the environment with a variety of mechanisms, immediately restarting their data theft campaign. We are sharing the tools, tactics, and procedures used by UNC3524 to help organizations hunt for and protect against their operations.\u003c/p\u003e\n\u003cdiv\u003e\n\u003ch2\u003eAttack Lifecycle\u003c/h2\u003e\n\u003c/div\u003e\n\u003ch3\u003eInitial Compromise and Maintain Presence\u003c/h3\u003e\n\u003cp\u003eAfter gaining initial access by unknown means, UNC3524 deployed a novel backdoor tracked by Mandiant as QUIETEXIT, which is based on the open-source Dropbear SSH client-server software. For their long-haul remote access, UNC3524 opted to deploy QUIETEXIT on opaque network appliances within the victim environment; think backdoors on SAN arrays, load balancers, and wireless access point controllers. These kinds of devices don\u2019t support antivirus or endpoint detection and response tools (EDRs), subsequently leaving the underlying operating systems to vendors to manage. These appliances are often running older versions of BSD or CentOS and would require considerable planning to compile functional malware for them. By targeting trusted systems within victim environments that do not support any type of security tooling, UNC3524 was able to remain undetected in victim environments for at least 18 months.\u003c/p\u003e\n\u003cp\u003eQUIETEXIT works as if the traditional client-server roles in an SSH connection were reversed. Once the client, running on a compromised system, establishes a TCP connection to a server, it performs the SSH server role. The QUIETEXIT component running on the threat actor\u2019s infrastructure initiates the SSH connection and sends a password. Once the backdoor establishes a connection, the threat actor can use any of the options available to an SSH client, including proxying traffic via SOCKS. QUIETEXIT has no persistence mechanism; however, we have observed UNC3524 install a run command (rc) as well as hijack legitimate application-specific startup scripts to enable the backdoor to execute on system startup.\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 1: How QUIETEXIT works with IoT devices\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/unc3524-fig1_enga.max-1600x1600.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/unc3524-fig1_enga.max-1100x1100.png 1060w, https://storage.googleapis.com/gweb-cloudblog-publish/images/unc3524-fig1_enga.max-1600x1600.png 1543w"," 1060px, 1543px","https://storage.googleapis.com/gweb-cloudblog-publish/images/unc3524-fig1_enga.max-1600x1600.png"],null,3]]],[null,null,[null,[null,"\u003cp\u003eOn startup, QUIETEXIT attempts to change its name to cron, but the malware author did not implement this correctly, so it fails. During our incident response investigations, we recovered QUIETEXIT samples that were renamed to blend in with other legitimate files on the file system. In one case with an infected node of a NAS array, UNC3524 named the binary to blend in with a suite of scripts used to mount various filesystems to the NAS.\u003c/p\u003e\n\u003cp\u003eWhen run with command line arguments \u003ccode\u003e-X -p ort\u003c/code\u003e the malware connects to a hard-coded command and control (C2) address on the specific port. If this fails, it will attempt to connect to a second hard coded C2 if one is configured. The user can also specify a hostname or IP address on the command line in the -p argument as well, e.g. \u003ccode\u003e-X -p ost:ort\u003c/code\u003e.The -X command line argument is case sensitive. If the lower-case x option is used, then the malware will only attempt to connect to the C2 server once. If the upper-case X option is used, then the malware will sleep for a random number of minutes between a hard-coded time range and fork to reattempt the connection. It re-attempts the connection regardless of whether a connection has already been established. In our investigations we observed UNC3524 use C2 domains that intended to blend in with legitimate traffic originating from the infected appliances. Using the example of an infected load balancer, the C2 domains contained strings that could plausibly relate to the device vendor and branded operating system name. This level of planning demonstrates that UNC3524 understands incident response processes and tried to make their C2 traffic appear as legitimate to anyone that might scroll through DNS or session logs.\u003c/p\u003e\n\u003cp\u003eAll QUIETEXIT C2 domains that Mandiant observed used Dynamic DNS providers. Dynamic DNS allows for threat actors to update the DNS records for domains in a near seamless fashion. When the C2s where inactive, the threat actor had the domains resolve to 127.0.0.1. However, occasionally the port numbers would change or VPS infrastructure would be used rather than compromised camera botnet. We suspected that when the threat actor experienced issues accessing a victim, they would troubleshoot using new infrastructure or different ports.\u003c/p\u003e\n\u003cp\u003eIn some cases, the threat actor deployed a secondary backdoor as a means of alternate access into victim environments. This alternate access was a \u003ca href\u003d\"https://advantage.mandiant.com/malware/malware--33065e77-067e-5554-a325-86f0e95968dc\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eREGEORG\u003c/a\u003e web shell previously placed on a DMZ web server. REGEORG is a web shell that creates a SOCKS proxy, keeping with UNC3524\u2019s preference for tunneling malware. Once inside the victim environment, the threat actor spent time to identify web servers in the victim environment and ensure they found one that was Internet accessible before copying REGEORG to it. They also took care to name the file so that it blended in with the application running on the compromised server. Mandiant also observed instances where UNC3542 used timestomping to alter the Standard Information timestamps of the REGEORG web shell to match other files in the same directory.\u003c/p\u003e\n\u003cp\u003eUNC3542 only used these web shells when their QUIETEXIT backdoors stopped functioning and only to re-establish QUIETEXIT on another system in the network. Rather than use the public version of REGEORG published by Sensepost, UNC3542 used a still public but little-known version of the web shell that is heavily obfuscated. This allowed them to bypass common signature-based detections for REGEORG.\u003c/p\u003e\n\u003ch3\u003eMove Laterally\u003c/h3\u003e\n\u003cp\u003eOnce UNC3524 established a foothold in the network they demonstrated a very low malware footprint and instead relied on built-in Windows protocols. During our incident response investigations, we traced most accesses to a victim appliance infected with QUIETEXIT. QUIETEXIT supports the full functionality of SSH, and our observation is consistent with UNC3524 using it to establish a SOCKS tunnel into the victim environments. By standing up a SOCKS tunnel, the threat actor effectively plugs in their machine to an ethernet jack within the victim\u2019s network. By tunneling over SOCKS, the threat actor can execute tools to steal data from their own computer, leaving no traces of the tooling itself on victim computers.\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 2: Tunneling through QUIETEXIT\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/unc3524-fig2_bmkh.max-1800x1800.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/unc3524-fig2_bmkh.max-1100x1100.png 1060w, https://storage.googleapis.com/gweb-cloudblog-publish/images/unc3524-fig2_bmkh.max-1800x1800.png 1735w"," 1060px, 1735px","https://storage.googleapis.com/gweb-cloudblog-publish/images/unc3524-fig2_bmkh.max-1800x1800.png"],null,3]]],[null,null,[null,[null,"\u003cp\u003eTo perform lateral movement to systems of interest, UNC3524 used a customized version of Impacket\u2019s \u003ca href\u003d\"https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eWMIEXEC\u003c/a\u003e. WMIEXEC uses Windows Management Instrumentation to establish a semi-interactive shell on a remote host. The utility provides a semi-interactive shell by writing command outputs to a file on the remote host and then printing the output to the terminal. The default Impacket version uses a hardcoded file path and filename structure for these output files, providing a detection opportunity. Mandiant has observed UNC3524 modifying the hardcoded file path (\\\\127.0.0.1\\ADMIN$\\debug\\DEBUG.LOG\u003cu\u003e)\u003c/u\u003e to evade basic detections for filenames such as Impacket\u2019s default double underscore files. We also observed the threat actor using the built-in \u003ccode\u003ereg save\u003c/code\u003e command to save registry hives and extract LSA secrets offline.\u003c/p\u003e\n\u003ch3\u003eComplete Mission\u003c/h3\u003e\n\u003cp\u003eOnce UNC3524 successfully obtained privileged credentials to the victim\u2019s mail environment, they began making Exchange Web Services (EWS) API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment. In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes, focusing their attention on executive teams and employees that work in corporate development, mergers and acquisitions, or IT security staff. It\u2019s likely that the threat actor was targeting the IT security team as a method to determine if their operation had been detected.\u003c/p\u003e\n\u003cp\u003eThe methods that UNC3524 used to authenticate to the Exchange infrastructure evolved throughout the course of the intrusions; this may be a result of them periodically losing access due to the natural changes in corporate infrastructure or simply updating their tactics. They authenticated to Exchange using the username and password of targeted accounts, using accounts holding ApplicationImpersonation rights, or using Service Principal credentials. Each of these methods, their detections, and configuration recommendations can be found at \u003ca href\u003d\"https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eMandiant's UNC2452 Microsoft 365 Hardening Guide\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eOnce authenticated to the exchange infrastructure, UNC3524 made a series of EWS API requests to extract mail items from the target mailbox. For each mailbox, the threat actor made a series of \u003ccode\u003eGetFolder\u003c/code\u003e and \u003ccode\u003eFindFolder\u003c/code\u003e requests that returned data describing the mailbox, such as the number of unread messages and sub-folders within the specified folder.\u003c/p\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e\u0026lt;?xml version\u003d\u0026quot;1.0\u0026quot; encoding\u003d\u0026quot;utf-8\u0026quot;?\u0026gt;\r\n\u0026lt;soap:Envelope xmlns:soap\u003d\u0026quot;http://schemas.xmlsoap.org/soap/envelope/\u0026quot;\r\n xmlns:t\u003d\u0026quot;https://schemas.microsoft.com/exchange/services/2006/types\u0026quot;\u0026gt;\r\n \u0026lt;soap:Header\u0026gt;\r\n \u0026lt;t:RequestServerVersion Version\u003d\u0026quot;Exchange2013\u0026quot; /\u0026gt;\r\n \u0026lt;t:ExchangeImpersonation\u0026gt;\r\n \u0026lt;t:ConnectingSID\u0026gt;\r\n \u0026lt;t:PrimarySmtpAddress\u0026gt;target@victimorg.com\u0026lt;/t:PrimarySmtpAddress\u0026gt;\r\n \u0026lt;/t:ConnectingSID\u0026gt;\r\n \u0026lt;/t:ExchangeImpersonation\u0026gt;\r\n \u0026lt;/soap:Header\u0026gt;\r\n \u0026lt;soap:Body\u0026gt;\r\n \u0026lt;GetFolder xmlns\u003d\u0026quot;https://schemas.microsoft.com/exchange/services/2006/messages\u0026quot;\r\n xmlns:t\u003d\u0026quot;https://schemas.microsoft.com/exchange/services/2006/types\u0026quot;\u0026gt;\r\n \u0026lt;FolderShape\u0026gt;\r\n \u0026lt;t:BaseShape\u0026gt;Default\u0026lt;/t:BaseShape\u0026gt;\r\n \u0026lt;/FolderShape\u0026gt;\r\n \u0026lt;FolderIds\u0026gt;\r\n \u0026lt;t:DistinguishedFolderId Id\u003d\u0026quot;Root\u0026quot;/\u0026gt;\r\n \u0026lt;/FolderIds\u0026gt;\r\n \u0026lt;/GetFolder\u0026gt;\r\n \u0026lt;/soap:Body\u0026gt;\r\n\u0026lt;/soap:Envelope\u0026gt;\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%;text-align:center\"\u003e\u003cspan style\u003d\"color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%\"\u003eFigure 3: Sample EWS GetFolder request\u003c/span\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003eAfter the enumeration of the mailbox structure, the threat actor issued a \u003ccode\u003eFindItem\u003c/code\u003e request with a Query Filter that selected all messages from a specific folder with a \u003ccode\u003eDateTimeCreated\u003c/code\u003e greater than a specific date. The date in the filter corresponded to the last time the threat actor accessed the mailbox. This meant that the threat actor would acquire all newly created items in the mailbox since the last time they had extracted data. This follows an approach that Mandiant has previously observed with APT29. Rather than target a mailbox using specific keywords, the threat actor instead extracted the entire contents over a particular date range.\u003c/p\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e\u0026lt;?xml version\u003d\u0026quot;1.0\u0026quot; encoding\u003d\u0026quot;utf-8\u0026quot;?\u0026gt;\r\n\u0026lt;soap:Envelope xmlns:xsi\u003d\u0026quot;http://www.w3.org/2001/XMLSchema-instance\u0026quot;\r\n xmlns:m\u003d\u0026quot;https://schemas.microsoft.com/exchange/services/2006/messages\u0026quot;\r\n xmlns:t\u003d\u0026quot;https://schemas.microsoft.com/exchange/services/2006/types\u0026quot;\r\n xmlns:soap\u003d\u0026quot;https://schemas.xmlsoap.org/soap/envelope/\u0026quot;\u0026gt;\r\n \u0026lt;soap:Header\u0026gt;\r\n \u0026lt;t:RequestServerVersion Version\u003d\u0026quot;Exchange2013\u0026quot; /\u0026gt;\r\n \u0026lt;t:ExchangeImpersonation\u0026gt;\r\n \u0026lt;t:ConnectingSID\u0026gt;\r\n \u0026lt;t:PrimarySmtpAddress\u0026gt;target@victimorg.com\u0026lt;/t:PrimarySmtpAddress\u0026gt;\r\n \u0026lt;/t:ConnectingSID\u0026gt;\r\n \u0026lt;/t:ExchangeImpersonation\u0026gt;\r\n \u0026lt;/soap:Header\u0026gt;\r\n \u0026lt;soap:Body\u0026gt;\r\n \u0026lt;m:FindItem Traversal\u003d\u0026quot;Shallow\u0026quot;\u0026gt;\r\n \u0026lt;m:ItemShape\u0026gt;\r\n \u0026lt;t:BaseShape\u0026gt;IdOnly\u0026lt;/t:BaseShape\u0026gt;\r\n \u0026lt;t:AdditionalProperties\u0026gt;\r\n \u0026lt;t:FieldURI FieldURI\u003d\u0026quot;item:Subject\u0026quot; /\u0026gt;\r\n \u0026lt;t:FieldURI FieldURI\u003d\u0026quot;item:DateTimeCreated \u0026quot; /\u0026gt;\r\n \u0026lt;/t:AdditionalProperties\u0026gt;\r\n \u0026lt;/m:ItemShape\u0026gt;\r\n \u0026lt;m:IndexedPageItemView MaxEntriesReturned\u003d\u0026quot;100\u0026quot; Offset\u003d\u0026quot;0\u0026quot; BasePoint\u003d\u0026quot;Beginning\u0026quot; /\u0026gt;\r\n \u0026lt;m:Restriction\u0026gt; \r\n \u0026lt;t:IsGreaterThan\u0026gt;\r\n \u0026lt;t:FieldURI FieldURI\u003d\u0026quot;item:DateTimeCreated \u0026quot; /\u0026gt;\r\n \u0026lt;t:FieldURIOrConstant\u0026gt;\r\n \u0026lt;t:Constant Value\u003d\u0026quot;2022-01-01T00:00:00\u0026quot; /\u0026gt;\r\n \u0026lt;/t:FieldURIOrConstant\u0026gt;\r\n \u0026lt;/t:IsGreaterThan\u0026gt;\r\n \u0026lt;/m:Restriction\u0026gt;\r\n \u0026lt;m:SortOrder\u0026gt;\r\n \u0026lt;t:FieldOrder Order\u003d\u0026quot;Descending\u0026quot;\u0026gt;\r\n \u0026lt;t:FieldURI FieldURI\u003d\u0026quot;item:DateTimeCreated\u0026quot; /\u0026gt;\r\n \u0026lt;/t:FieldOrder\u0026gt;\r\n \u0026lt;/m:SortOrder\u0026gt;\r\n \u0026lt;m:ParentFolderIds\u0026gt;\r\n \u0026lt;t:DistinguishedFolderId Id\u003d\u0026quot;inbox\u0026quot; /\u0026gt;\r\n \u0026lt;/m:ParentFolderIds\u0026gt;\r\n \u0026lt;/m:FindItem\u0026gt;\r\n \u0026lt;/soap:Body\u0026gt;\r\n\u0026lt;/soap:Envelope\u0026gt;\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%;text-align:center\"\u003e\u003cspan style\u003d\"color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%\"\u003eFigure 4: Sample EWS FindItem request\u003c/span\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003eFinally, the threat actor iterated through each message identifier returned in the \u003ccode\u003eFindItem\u003c/code\u003e response and made a \u003ccode\u003eGetItem\u003c/code\u003e request. The threat actor set the \u003ccode\u003eIncludeMimeContent\u003c/code\u003e parameter to true for the request, which resulted in Exchange returning the message in MIME format. This is important because the MIME message includes both the message body and any attachments. It is worth noting that if the messages were encrypted using PGP, SMIME, Office 365 Message Encryption (OME), or other encryption technology, then the \u003ccode\u003eGetItem\u003c/code\u003e response will only contain the ciphertext or in the case of OME, a link to authenticate and view the real message.\u003c/p\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e\u0026lt;?xml version\u003d\u0026quot;1.0\u0026quot; encoding\u003d\u0026quot;utf-8\u0026quot;?\u0026gt;\r\n\u0026lt;soap:Envelope\r\n xmlns:xsi\u003d\u0026quot;http://www.w3.org/2001/XMLSchema-instance\u0026quot;\r\n xmlns:xsd\u003d\u0026quot;http://www.w3.org/2001/XMLSchema\u0026quot;\r\n xmlns:soap\u003d\u0026quot;http://schemas.xmlsoap.org/soap/envelope/\u0026quot;\r\n xmlns:t\u003d\u0026quot;https://schemas.microsoft.com/exchange/services/2006/types\u0026quot;\u0026gt;\r\n \u0026lt;soap:Body\u0026gt;\r\n \u0026lt;GetItem\r\n xmlns\u003d\u0026quot;https://schemas.microsoft.com/exchange/services/2006/messages\u0026quot;\r\n xmlns:t\u003d\u0026quot;https://schemas.microsoft.com/exchange/services/2006/types\u0026quot;\u0026gt;\r\n \u0026lt;ItemShape\u0026gt;\r\n \u0026lt;t:BaseShape\u0026gt;Default\u0026lt;/t:BaseShape\u0026gt;\r\n \u0026lt;t:IncludeMimeContent\u0026gt;true\u0026lt;/t:IncludeMimeContent\u0026gt;\r\n \u0026lt;/ItemShape\u0026gt;\r\n \u0026lt;ItemIds\u0026gt;\r\n \u0026lt;t:ItemId Id\u003d\u0026quot;\u0026lt;ID OF MESSAGE\u0026gt;\u0026quot; ChangeKey\u003d\u0026quot;CQAAAB\u0026quot; /\u0026gt;\r\n \u0026lt;/ItemIds\u0026gt;\r\n \u0026lt;/GetItem\u0026gt;\r\n \u0026lt;/soap:Body\u0026gt;\r\n\u0026lt;/soap:Envelope\u0026gt;\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%;text-align:center\"\u003e\u003cspan style\u003d\"color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%\"\u003eFigure 5: Sample EWS GetItem request\u003c/span\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cdiv\u003e\n\u003ch2\u003eOperational Security and Infrastructure\u003c/h2\u003e\n\u003c/div\u003e\n\u003cp\u003eThroughout their operations, the threat actor demonstrated sophisticated operational security that we see only a small number of threat actors demonstrate. The threat actor evaded detection by operating from devices in the victim environment\u2019s blind spots, including servers running uncommon versions of Linux and network appliances running opaque OSes. These devices and appliances were running versions of operating systems that were unsupported by agent-based security tools, and often had an expected level of network traffic that allowed the attackers to blend in. The threat actor\u2019s use of the QUIETEXIT tunneler allowed them to largely live off the land, without the need to bring in additional tools, further reducing the opportunity for detection. This allowed UNC3524 to remain undetected in victim environments for, in some cases, upwards of 18 months.\u003c/p\u003e\n\u003cp\u003eThe C2 systems that Mandiant identified were primarily legacy conference room camera systems sold by LifeSize, Inc. and in one instance, a D-Link IP camera. These camera systems appeared to be infected, likely with the server component of QUIETEXIT. These cameras were directly Internet exposed, possibly through an improper UPnP configuration, and may have been running older firmware. Mandiant suspects that default credentials, rather than an exploit, were the likely mechanism used to compromise these devices and form the IoT botnet used by UNC3524. Similar to the use of embedded network devices, UNC3524 can avoid detection by operating from compromised infrastructure connected directly to the public Internet such as IP cameras where typical antivirus and security monitoring may be absent.\u003c/p\u003e\n\u003cdiv\u003e\n\u003ch2\u003eDetection\u003c/h2\u003e\n\u003c/div\u003e\n\u003cp\u003eUNC3524\u2019s use of compromised appliances makes host-based hunting and detection extremely difficult. The best opportunity for detection remains in network-based logging, specifically monitoring traffic at the layer 7 level. Mandiant recommends hunting for traffic tagged as the \u201cSSH\u201d application egressing environments over ports other than 22. This traffic should be relatively small, and any findings should be investigated. Organizations can also look for outbound SSH traffic originating from IP addresses that are unknown or not in asset management systems. These source systems are more likely to be appliances that aren\u2019t centrally managed. Finally, large volumes of network traffic originating from the \u201cmanagement\u201d interfaces of appliances such as NAS arrays and load balancers should be investigated as suspicious as well.\u003c/p\u003e\n\u003cp\u003eUNC3524 targets opaque network appliances because they are often the most unsecure and unmonitored systems in a victim environment. Organizations should take steps to inventory their devices that are on the network and do not support monitoring tools. Each device likely has vendor-specific hardening actions to take to ensure that the proper logging is enabled, and logs are forwarded to a central repository. Organizations can also take steps to use network access controls to limit or completely restrict egress traffic from these devices.\u003c/p\u003e\n\u003cp\u003eFor host-based hunting, Mandiant recommends hunting for QUIETEXIT on devices using the provided grep commands. Most appliances that provide shell access should have the grep binary available.\u003c/p\u003e\n\u003cp\u003eFind QUIETEXIT hard-coded byte string using grep:\u003c/p\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eFind QUIETEXIT hard-coded byte string using grep:\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u00a0\u003c/div\u003e\n\u003cp\u003eFind QUIETEXIT by looking for the hard-coded password value:\u003c/p\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003egrep \r\n'\\xDD\\xE5\\xD5\\x97\\x20\\x53\\x27\\xBF\\xF0\\xA2\\xBA\\xCD\\x96\\x35\\x9A\\xAD\\x1C\\x75\\xEB\\x47' \r\n-rs /\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u00a0\u003c/div\u003e\n\u003cp\u003eFind QUIETEXIT persistence mechanisms in the appliance\u2019s rc.local directory by looking for the command line arguments:\u003c/p\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003egrep -e \" -[Xx] -p [[:digit:]{2,6}]\" -rs /etc\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u00a0\u003c/div\u003e\n\u003cdiv\u003e\n\u003ch2\u003eRemediation and Hardening\u003c/h2\u003e\n\u003c/div\u003e\n\u003cp\u003eMandiant has published \u003ca href\u003d\"https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eremediation and hardening strategies\u003c/a\u003e for Microsoft 365.\u003c/p\u003e\n\u003ch2\u003eAttribution\u003c/h2\u003e\n\u003cp\u003eThe methodologies Mandiant observed during UNC3524 intrusions overlapped with techniques used by multiple Russia-based espionage threat actors including both EWS impersonation and SPN credential addition. Mandiant has only observed \u003ca href\u003d\"https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eAPT29\u003cu\u003e performing \u003c/u\u003eSPN credential addition\u003c/a\u003e; however, this technique has been reported on publicly since early 2019. The NSA has previously reported automated password spraying using Kubernetes, Exchange Exploitation, and REGEORG as \u003ca href\u003d\"https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eassociated with APT28\u003c/a\u003e\u003cu\u003e.\u003c/u\u003e While the activity reported by the NSA used TOR and commercial VPNs, UNC3524 primarily used compromised internet facing devices. One interesting aspect of UNC3524\u2019s use of REGEORG was that it matched identically with the version publicly reported by the NSA as used by APT28. At the time of writing, Mandiant cannot conclusively link UNC3524 to an existing group currently tracked by Mandiant.\u003c/p\u003e\n\u003ch2\u003eAcknowledgements\u003c/h2\u003e\n\u003cp\u003eWe would like to thank our incident response consultants, Managed Defense responders, and FLARE reverse engineers who enabled this research.Thanks to Kirstie Failey, Jake Nicastro, John Wolfram, Sarah Hawley and Nick Richard for technical review, and Ryan Hall and Alyssa Rahman for research contributions.\u003c/p\u003e\n\u003cdiv\u003e\n\u003ch2\u003eMITRE ATT\u0026amp;CK\u003c/h2\u003e\n\u003c/div\u003e\n\u003cp\u003eMandiant has observed UNC3524 use the following techniques.\u003c/p\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u003ctable\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\u003cstrong\u003eATT\u0026amp;CK Tactic Category\u003c/strong\u003e\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\u003cstrong\u003eTechniques\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eDefense Evasion\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eT1027: Obfuscated Files or Information\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eDiscovery\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1012: Query Registry\u003c/span\u003e\u003c/p\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1016: System Network Configuration Discovery\u003c/span\u003e\u003c/p\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1049: System Network Connections Discovery\u003c/span\u003e\u003c/p\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1057: Process Discovery\u003c/span\u003e\u003c/p\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1518: Software Discovery\u003c/span\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eCredential Access\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003eT1003.004: LSA Secrets\u003c/p\u003e\n\u003cp\u003eT1003.006: DCSync\u003c/p\u003e\n\u003cp\u003eT1111: Two-Factor Authentication Interception\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eCollection\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1114: Email Collection\u003c/span\u003e\u003c/p\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1114.002: Remote Email Collection\u003c/span\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLateral Movement\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eT1021.004: SSH\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003ePersistence\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1037.004: RC Scripts\u003c/span\u003e\u003c/p\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1098.001: Additional Cloud Credentials\u003c/span\u003e\u003c/p\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1505.003: Web Shell\u003c/span\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eCommand and Control\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1071: Application Layer Protocol\u003c/span\u003e\u003c/p\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1090.003: Multi-hop Proxy\u003c/span\u003e\u003c/p\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1095: Non-Application Layer Protocol\u003c/span\u003e\u003c/p\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1572: Protocol Tunneling\u003c/span\u003e\u003c/p\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1573.002: Asymmetric Cryptography\u003c/span\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eResource Development\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1583.003: Virtual Private Server\u003c/span\u003e\u003c/p\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1584: Compromise Infrastructure\u003c/span\u003e\u003c/p\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1608.003: Install Digital Certificate\u003c/span\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eExecution\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1059.001: PowerShell\u003c/span\u003e\u003c/p\u003e\n\u003cp\u003e\u003cspan lang\u003d\"EN-CA\"\u003e T1059.003: Windows Command Shell\u003c/span\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003cdiv\u003e\n\u003ch2\u003eYARA Signatures\u003c/h2\u003e\n\u003c/div\u003e\n\u003cp\u003eNote: These rules are designed to broadly capture suspicious files and are not designed to detect a particular malware or threat.\u003c/p\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003erule QUIETEXIT_strings\r\n{\r\n meta:\r\n author \u003d \u0026quot;Mandiant\u0026quot;\r\n date_created \u003d \u0026quot;2022-01-13\u0026quot;\r\n date_modified \u003d \u0026quot;2022-01-13\u0026quot;\r\n rev \u003d 1\r\n strings:\r\n $s1 \u003d \u0026quot;auth-agent@openssh.com\u0026quot;\r\n $s2 \u003d \u0026quot;auth-%.8x-%d\u0026quot;\r\n $s3 \u003d \u0026quot;Child connection from %s:%s\u0026quot;\r\n $s4 \u003d \u0026quot;Compiled without normal mode, can\u0026#39;t run without -i\u0026quot;\r\n $s5 \u003d \u0026quot;cancel-tcpip-forward\u0026quot;\r\n $s6 \u003d \u0026quot;dropbear_prng\u0026quot;\r\n $s7 \u003d \u0026quot;cron\u0026quot;\r\n condition:\r\n uint32be(0) \u003d\u003d 0x7F454C46 and filesize \u0026lt; 2MB and all of them\r\n}\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u00a0\u003c/div\u003e\n\u003cpre\u003e\u003ccode\u003erule REGEORG_Tuneller_generic\r\n{\r\n meta:\r\n author \u003d \u0026quot;Mandiant\u0026quot;\r\n date_created \u003d \u0026quot;2021-12-20\u0026quot;\r\n date_modified \u003d \u0026quot;2021-12-20\u0026quot;\r\n md5 \u003d \u0026quot;ba22992ce835dadcd06bff4ab7b162f9\u0026quot;\r\n strings:\r\n $s1 \u003d \u0026quot;System.Net.IPEndPoint\u0026quot;\r\n $s2 \u003d \u0026quot;Response.AddHeader\u0026quot;\r\n $s3 \u003d \u0026quot;Request.InputStream.Read\u0026quot;\r\n $s4 \u003d \u0026quot;Request.Headers.Get\u0026quot;\r\n $s5 \u003d \u0026quot;Response.Write\u0026quot;\r\n $s6 \u003d \u0026quot;System.Buffer.BlockCopy\u0026quot;\r\n $s7 \u003d \u0026quot;Response.BinaryWrite\u0026quot;\r\n $s8 \u003d \u0026quot;SocketException soex\u0026quot;\r\n condition:\r\n filesize \u0026lt; 1MB and 7 of them\r\n}\u003c/code\u003e\u003c/pre\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u00a0\u003c/div\u003e\n\u003cpre\u003e\u003ccode\u003erule UNC3524_sha1\r\n{\r\n meta:\r\n author \u003d \u0026quot;Mandiant\u0026quot;\r\n date_created \u003d \u0026quot;2022-01-19\u0026quot;\r\n date_modified \u003d \u0026quot;2022-01-19\u0026quot;\r\n strings:\r\n $h1 \u003d { DD E5 D5 97 20 53 27 BF F0 A2 BA CD 96 35 9A AD 1C 75 EB 47 }\r\n condition:\r\n uint32be(0) \u003d\u003d 0x7F454C46 and filesize \u0026lt; 10MB and all of them\r\n}\u003c/code\u003e\u003c/pre\u003e\n\u003ch2\u003eIndicators\u003c/h2\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u003ctable\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\u003cstrong\u003eMALWARE FAMILY\u003c/strong\u003e\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\u003cstrong\u003eIndicator\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eQUIETEXIT Dynamic DNS\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003ecloudns.asia\u003cbr\u003edynu.net\u003cbr\u003emywire.org\u003cbr\u003ewebredirect.org\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u003ctable\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\u003cstrong\u003eMALWARE FAMILY\u003c/strong\u003e\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\u003cstrong\u003eMD5\u003c/strong\u003e\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\u003cstrong\u003eSHA1\u003c/strong\u003e\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\u003cstrong\u003eSHA256\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eREGEORG GitHub version\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eba22992ce835dadcd06bff4ab7b162f9\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e3d4dcc859c6ca7e5b36483ad84c9ceef34973f9a\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e7b5e3c1c06d82b3e7309C258dfbd4bfcd476c8ffcb4cebda76146145502a5997\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e"]]]],[["Threat Intelligence","Seeing Through a GLASSBRIDGE: Understanding the Digital Marketing Ecosystem Spreading Pro-PRC Influence Operations","GLASSBRIDGE is an umbrella group of four different companies that operate networks of inauthentic news sites and newswire services.",["https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-400x400.png 324w, https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png 648w"," 324px, 648px","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png"],null,6,null,"https://cloud.google.com/blog/topics/threat-intelligence/glassbridge-pro-prc-influence-operations",null,1,[["Google Threat Intelligence Group "]],null,"55620"],["Threat Intelligence","Empowering Gemini for Malware Analysis with Code Interpreter and Google Threat Intelligence","When used for malware analysis, Gemini now has capabilities to address obfuscation, and obtain insights on IOCs.",["https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-400x400.png 324w, https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png 648w"," 324px, 648px","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png"],null,6,null,"https://cloud.google.com/blog/topics/threat-intelligence/gemini-malware-analysis-code-interpreter-threat-intelligence",null,1,[["Bernardo Quintero"],["Andr\u00e9s Ram\u00edrez"]],null,"55597"],["Threat Intelligence","Pirates in the Data Sea: AI Enhancing Your Adversarial Emulation","Learn how Mandiant Red Team is using Gemini and LLMs for adversarial emulation and defense.",["https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-400x400.png 324w, https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png 648w"," 324px, 648px","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png"],null,25,null,"https://cloud.google.com/blog/topics/threat-intelligence/ai-enhancing-your-adversarial-emulation",null,1,[["Mandiant "]],null,"55578"],["Threat Intelligence","Emerging Threats: Cybersecurity Forecast 2025","The Cybersecurity Forecast 2025 is here to arm security professionals with knowledge about the year ahead.",["https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-400x400.png 324w, https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png 648w"," 324px, 648px","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png"],null,3,null,"https://cloud.google.com/blog/topics/threat-intelligence/cybersecurity-forecast-2025",null,1,[["Adam Greenberg","Content Marketing Manager, Mandiant"]],null,"55565"]],null,"Threat Intelligence",null,[["Threat Intelligence","https://cloud.google.com/blog/topics/threat-intelligence","threat-intelligence"],["Security \u0026 Identity","https://cloud.google.com/blog/products/identity-security","identity-security"]],null,null,14], sideChannel: {}});</script><script id="wiz_jd" nonce="wC7T6QA8MeKpUedWZ2V6dQ">if (window['_wjdc']) {const wjd = {}; window['_wjdc'](wjd); delete window['_wjdc'];}</script><script aria-hidden="true" id="WIZ-footer" nonce="wC7T6QA8MeKpUedWZ2V6dQ">window.wiz_progress&&window.wiz_progress(); window.stopScanForCss&&window.stopScanForCss(); ccTick('bl');</script></body></html><footer id="ZCHFDb"><footer class="nRhiJb-RWrDld nRhiJb-yePe5c QJnbF" jscontroller="NsSboe" track-metadata-module="footer"><h3 class="nRhiJb-VqCwd-L6cTce">Footer Links</h3><section class="nRhiJb-haF9Wb r2W5Od"><section class="nRhiJb-DX2B6"><div class="nRhiJb-j5y3u"><h4 class="nRhiJb-BkAck nRhiJb-BkAck-OWXEXe-TzA9Ye">Follow us</h4><ul class="nRhiJb-Qijihe c3Uqdd" role="list"><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.x.com/googlecloud" target="_blank" rel="noopener" track-name="x"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.x.com/googlecloud"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M13.9,10.5L21.1,2h-1.7l-6.3,7.4L8,2H2.2l7.6,11.1L2.2,22h1.7l6.7-7.8L16,22h5.8L13.9,10.5L13.9,10.5z M11.5,13.2l-0.8-1.1 L4.6,3.3h2.7l5,7.1l0.8,1.1l6.5,9.2h-2.7L11.5,13.2L11.5,13.2z"></path></svg></a></li><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.youtube.com/googlecloud" target="_blank" rel="noopener" track-name="youtube"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.youtube.com/googlecloud"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M23.74 7.1s-.23-1.65-.95-2.37c-.91-.96-1.93-.96-2.4-1.02C17.04 3.47 12 3.5 12 3.5s-5.02-.03-8.37.21c-.46.06-1.48.06-2.39 1.02C.52 5.45.28 7.1.28 7.1S.04 9.05 0 10.98V13c.04 1.94.28 3.87.28 3.87s.24 1.65.96 2.38c.91.95 2.1.92 2.64 1.02 1.88.18 7.91.22 8.12.22 0 0 5.05.01 8.4-.23.46-.06 1.48-.06 2.39-1.02.72-.72.96-2.37.96-2.37s.24-1.94.25-3.87v-2.02c-.02-1.93-.26-3.88-.26-3.88zM9.57 15.5V8.49L16 12.13 9.57 15.5z"></path></svg></a></li><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.linkedin.com/showcase/google-cloud" target="_blank" rel="noopener" track-name="linkedin"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.linkedin.com/showcase/google-cloud"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M20 2H4c-1.1 0-1.99.9-1.99 2L2 20c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V4c0-1.1-.9-2-2-2zM8 19H5v-9h3v9zM6.5 8.31c-1 0-1.81-.81-1.81-1.81S5.5 4.69 6.5 4.69s1.81.81 1.81 1.81S7.5 8.31 6.5 8.31zM19 19h-3v-5.3c0-.83-.67-1.5-1.5-1.5s-1.5.67-1.5 1.5V19h-3v-9h3v1.2c.52-.84 1.59-1.4 2.5-1.4 1.93 0 3.5 1.57 3.5 3.5V19z"></path></svg></a></li><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.instagram.com/googlecloud/" target="_blank" rel="noopener" track-name="instagram"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.instagram.com/googlecloud/"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M12,0 C15.3,0 15.7,0 17,0 C18.3,0.1 19.1,0.3 19.9,0.6 C20.7,0.9 21.3,1.3 22,2 C22.7,2.7 23.1,3.4 23.3,4.2 C23.6,5 23.8,5.8 23.9,7.1 C24,8.3 24,8.7 24,12 C24,15.3 24,15.7 23.9,16.9 C23.8,18.2 23.6,19 23.3,19.8 C23,20.6 22.6,21.2 21.9,21.9 C21.3,22.6 20.6,23 19.8,23.3 C19,23.6 18.2,23.8 16.9,23.9 C15.7,24 15.3,24 12,24 C8.7,24 8.3,24 7,24 C5.7,23.9 4.9,23.7 4.1,23.4 C3.3,23.1 2.7,22.7 2,22 C1.3,21.3 0.9,20.6 0.7,19.8 C0.4,19 0.2,18.2 0.1,16.9 C0,15.7 0,15.3 0,12 C0,8.7 0,8.3 0.1,7.1 C0.1,5.8 0.3,4.9 0.6,4.1 C0.9,3.4 1.3,2.7 2,2 C2.7,1.3 3.4,0.9 4.1,0.6 C4.9,0.3 5.8,0.1 7.1,0.1 C8.3,0 8.7,0 12,0 Z M12,2.2 C8.8,2.2 8.4,2.2 7.2,2.2 C6,2.3 5.3,2.5 4.9,2.6 C4.4,2.9 4,3.1 3.5,3.5 C3.1,3.9 2.8,4.3 2.6,4.9 C2.5,5.3 2.3,6 2.3,7.2 C2.2,8.4 2.2,8.8 2.2,12 C2.2,15.2 2.2,15.5 2.3,16.8 C2.3,17.9 2.5,18.6 2.7,19 C2.9,19.6 3.2,20 3.6,20.4 C4,20.8 4.4,21.1 5,21.3 C5.4,21.5 6,21.6 7.2,21.7 C8.4,21.8 8.8,21.8 12,21.8 C15.2,21.8 15.5,21.8 16.8,21.7 C17.9,21.7 18.6,21.5 19,21.3 C19.6,21.1 20,20.8 20.4,20.4 C20.8,20 21.1,19.6 21.3,19 C21.5,18.6 21.6,18 21.7,16.8 C21.8,15.6 21.8,15.2 21.8,12 C21.8,8.8 21.8,8.5 21.7,7.2 C21.7,6.1 21.5,5.4 21.3,5 C21.1,4.4 20.8,4 20.4,3.6 C20,3.2 19.6,2.9 19,2.7 C18.6,2.5 18,2.4 16.8,2.3 C15.6,2.2 15.2,2.2 12,2.2 Z M12,5.8 C15.4,5.8 18.2,8.6 18.2,12 C18.2,15.4 15.4,18.2 12,18.2 C8.6,18.2 5.8,15.4 5.8,12 C5.8,8.6 8.6,5.8 12,5.8 Z M12,16 C14.2,16 16,14.2 16,12 C16,9.8 14.2,8 12,8 C9.8,8 8,9.8 8,12 C8,14.2 9.8,16 12,16 Z M18.4,7 C17.6268014,7 17,6.37319865 17,5.6 C17,4.82680135 17.6268014,4.2 18.4,4.2 C19.1731986,4.2 19.8,4.82680135 19.8,5.6 C19.8,6.37319865 19.1731986,7 18.4,7 Z"></path></svg></a></li><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.facebook.com/googlecloud/" target="_blank" rel="noopener" track-name="facebook"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.facebook.com/googlecloud/"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M20 2H4c-1.1 0-1.99.9-1.99 2L2 20c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V4c0-1.1-.9-2-2-2zm-1 2v3h-2c-.55 0-1 .45-1 1v2h3v3h-3v7h-3v-7h-2v-3h2V7.5C13 5.57 14.57 4 16.5 4H19z"></path></svg></a></li></ul></div></section></section><section class="nRhiJb-hlZHHf rtKYfe"><div class="nRhiJb-vQnuyc UXgbsb"><a class="ZOs9zc" href="https://cloud.google.com/" title="Google Cloud" track-name="google"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="cloud.google.com/"track-metadata-module="footer"><svg class="nRhiJb-vQnuyc-RJLb9c" viewBox="0 0 64 64" role="presentation" aria-hidden="true" width="40" height="40"><path d="M40.37 20.29L42.3333 20.3267L47.67 14.99L47.93 12.73C43.69 8.95667 38.11 6.66 32 6.66C20.9367 6.66 11.6067 14.1833 8.84 24.3833C9.42334 23.98 10.6667 24.28 10.6667 24.28L21.3333 22.5267C21.3333 22.5267 21.8867 21.62 22.1567 21.6767C24.5967 19.0067 28.1067 17.3267 32 17.3267C35.1667 17.3267 38.08 18.44 40.37 20.29Z" fill="#ea4335"/><path d="M55.1667 24.3967C53.93 19.8233 51.37 15.79 47.9267 12.7267L40.3667 20.2867C43.3933 22.7333 45.3333 26.4733 45.3333 30.66V31.9933C49.01 31.9933 52 34.9833 52 38.66C52 42.3367 49.01 45.3267 45.3333 45.3267H32L30.6667 46.6667V54.6667L32 55.9933H45.3333C54.89 55.9933 62.6667 48.2167 62.6667 38.66C62.6667 32.75 59.6933 27.5267 55.1667 24.3967Z" fill="#4285f4"/><path d="M18.6667 55.9933H31.99V45.3267H18.6667C17.6867 45.3267 16.76 45.11 15.92 44.7267L14 45.3167L8.66 50.6567L8.19334 52.46C11.1033 54.6733 14.7333 55.9933 18.6667 55.9933Z" fill="#34a853"/><path d="M18.6667 21.3267C9.11 21.3267 1.33334 29.1033 1.33334 38.66C1.33334 44.2867 4.03 49.2967 8.2 52.4633L15.93 44.7333C13.6167 43.6867 12 41.36 12 38.66C12 34.9833 14.99 31.9933 18.6667 31.9933C21.3667 31.9933 23.6933 33.61 24.74 35.9233L32.47 28.1933C29.3033 24.0233 24.2933 21.3267 18.6667 21.3267Z" fill="#fbbc05"/></svg></a></div><ul class="nRhiJb-hlZHHf-PLDbbf nRhiJb-di8rgd-ZGNLv AXb5J" role="list"><li class="glue-footer__global-links-list-item"><a class="nRhiJb-Fx4vi " href="https://cloud.google.com/" track-name="google cloud"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="cloud.google.com/"track-metadata-module="footer">Google Cloud</a></li><li class="glue-footer__global-links-list-item"><a class="nRhiJb-Fx4vi " href="https://cloud.google.com/products/" track-name="google cloud products"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="cloud.google.com/products/"track-metadata-module="footer">Google Cloud Products</a></li><li class="glue-footer__global-links-list-item"><a class="nRhiJb-Fx4vi " href="https://myaccount.google.com/privacypolicy?hl=en-US" target="_blank" track-name="privacy"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="myaccount.google.com/privacypolicy?hl=en-US"track-metadata-module="footer">Privacy</a></li><li class="glue-footer__global-links-list-item"><a class="nRhiJb-Fx4vi " href="https://myaccount.google.com/termsofservice?hl=en-US" target="_blank" track-name="terms"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="myaccount.google.com/termsofservice?hl=en-US"track-metadata-module="footer">Terms</a></li><li aria-hidden="true" class="glue-footer__global-links-list-item"><a aria-hidden="true" role="button" tabindex="0" class="nRhiJb-Fx4vi glue-footer__link glue-cookie-notification-bar-control" href="#" target="_blank" track-name="cookies management controls"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="#"track-metadata-module="footer">Cookies management controls</a></li></ul><ul class="nRhiJb-hlZHHf-PLDbbf nRhiJb-hlZHHf-PLDbbf-OWXEXe-hOedQd nRhiJb-di8rgd-ZGNLv qkxr1" role="list"><li class="glue-footer__global-links-list-item nRhiJb-hlZHHf-PLDbbf-rymPhb-ibnC6b-OWXEXe-hOedQd"><a class="nRhiJb-Fx4vi" href="https://support.google.com" target="_blank" track-name="help"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="support.google.com"track-metadata-module="footer"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-yePe5c-h9d3hd" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M12 2C6.48 2 2 6.48 2 12s4.48 10 10 10 10-4.48 10-10S17.52 2 12 2zm1 17h-2v-2h2v2zm2.07-7.75l-.9.92C13.45 12.9 13 13.5 13 15h-2v-.5c0-1.1.45-2.1 1.17-2.83l1.24-1.26c.37-.36.59-.86.59-1.41 0-1.1-.9-2-2-2s-2 .9-2 2H8c0-2.21 1.79-4 4-4s4 1.79 4 4c0 .88-.36 1.68-.93 2.25z"></path></svg>Help</a></li><li class="glue-footer__global-links-list-item nRhiJb-hlZHHf-PLDbbf-rymPhb-ibnC6b-OWXEXe-hOedQd"><select jsaction="change:xU0iy" aria-label="Change language" class="nRhiJb-CL4aqd-j4gsHd"><option value="" selected disabled hidden>Language</option><option value="en" selected>‪English‬</option><option value="de">‪Deutsch‬</option><option value="fr">‪Français‬</option><option value="ko">‪한국어‬</option><option value="ja">‪日本語‬</option></select></li></ul></section></footer></footer>