54 Cloud Identity Free decoy accounts
A user account on a free Cloud Identity seat, named to look high-value — an ex-CFO, an svc-backup identity — left discoverable where an attacker enumerates (the directory, a stale group, an old document ACL) and used by nobody. Any successful login or password-recovery attempt against it is hostile by definition, so an activity rule on its login events can page immediately with no false-positive budget to manage.
Caveats
Setup steps
- open ↗

https://admin.google.com/ac/users · captured 2026-07-15
Directory › Users › Add new userLicense = Cloud Identity Free; long random password; 2SV enrolled but never used
-
Contact sharing on (organization-wide Directory setting; per-OU visibility via custom directories); member of a plausible stale group; listed on an old doc ACL
- open ↗

https://admin.google.com/ac/ax · captured 2026-07-15
Rules › Create rule › Activity- Condition: user log event (login) AND user
decoy- Severity
High- Action
alert center + page
-
gam info user decoy@… gam print groups member decoy@…
Ongoing maintenance
- requires a human Quarterly: keep decoys plausible — aged profile photos, group memberships, mail traffic patterns.
How to verify
Attempt a sign-in against a decoy account from a clean browser and confirm the alert fires and routes to the monitored address.
v0.1.3Detectedition All (free seats) policy #30 · #33 ↗