← All controls

3 Government-backed attack alert routing

Google warns accounts it believes are targeted by state-sponsored attackers, through a system-defined alert rule that has been on by default since October 2018. The alert names the targeted user, so the work here is routing and response: raise the severity so it is not buried, send it to the monitored security address plus a named human, and record the response: password reset, enforced 2-Step Verification and Advanced Protection enrolment (№21), coordinated through an out-of-band call rather than an email reply.

Caveats

Setup steps

  1. open ↗
    Admin console screen — Rules > System-defined rules > Government-backed attacks

    https://admin.google.com/ac/ax · captured 2026-07-15

    Rules
    Type
    System-defined

    View and edit system-defined rules ↗

  2. Rules › Government-backed attacks
    Status
    Active
    Alert center
    On
    Severity
    High
  3. Rules › Government-backed attacks › Actions
    Email notifications
    On
    Recipients
    security-alerts@<domain> + named responder (internal-domain addresses only)

    View and edit system-defined rules ↗

  4. open ↗
    Admin console screen — Security > Alert center (where the government-backed-attack alert lands)

    https://admin.google.com/ac/ac · captured 2026-07-15

    Security › Alert center

    Playbook link attached to the alert workflow

    View alert details ↗ Enable user enrollment in the Advanced Protection Program ↗

Ongoing maintenance

How to verify

  1. Open the system-defined rule "Government-backed attacks" and confirm Status = Active, alert center delivery On, and the recipient set is the monitored address plus a named responder.

v0.0.3Detect policy #33 · #11 ↗