← All controls

59 Config-drift & persistence sentinel (incl. mail-routing watch)

A scheduled job snapshots the settings an attacker changes in order to persist — admin role assignments, domain-wide delegation clients and their scopes, the OAuth allowlist, Gmail routing rules, mail hosts and compliance rules, forwarding, 2SV enforcement — and diffs each run against the last approved baseline. A silent inbound or outbound routing rule is the classic post-compromise persistence, and it is invisible to the user whose mail it copies.

Caveats

Setup steps

  1. Cadence
    hourly for routing/DWD, daily for the rest
  2. open ↗ Apps › Google Workspace › Gmail › Routing
    Diff on any add/change to routing, hosts, or compliance rules

    Add Gmail routing settings ↗ Add mail servers for Gmail email routing ↗

  3. Unapproved delta
    page
    approved delta
    auto-commit new baseline

Ongoing maintenance

How to verify

  1. Check the sentinel’s last run is within its schedule, then change a benign monitored setting and confirm the next run flags it. Revert the setting.

Further screens

Screen 1 of 1: Account > Admin roles

open ↗
Admin console screen — Account > Admin roles
https://admin.google.com/ac/list/roles captured 2026-07-15

v0.1.2Detect policy #27 · #12, #33, #34 ↗