← All controls

54 Cloud Identity Free decoy accounts

A user account on a free Cloud Identity seat, named to look high-value — an ex-CFO, an svc-backup identity — left discoverable where an attacker enumerates (the directory, a stale group, an old document ACL) and used by nobody. Any successful login or password-recovery attempt against it is hostile by definition, so an activity rule on its login events can page immediately with no false-positive budget to manage.

Caveats

Setup steps

  1. open ↗
    Admin console screen — Directory > Users

    https://admin.google.com/ac/users · captured 2026-07-15

    Directory › Users › Add new user

    License = Cloud Identity Free; long random password; 2SV enrolled but never used

    Add an account for a new user ↗

  2. Contact sharing on (organization-wide Directory setting; per-OU visibility via custom directories); member of a plausible stale group; listed on an old doc ACL

    Turn Directory on or off ↗

  3. open ↗
    Admin console screen — Rules (activity rule on decoy login)

    https://admin.google.com/ac/ax · captured 2026-07-15

    Rules › Create rule › Activity
    Condition: user log event (login) AND user
    decoy
    Severity
    High
    Action
    alert center + page

    Create and manage activity rules ↗ User log events ↗

  4. gam info user decoy@…
    gam print groups member decoy@…

Ongoing maintenance

How to verify

  1. Attempt a sign-in against a decoy account from a clean browser and confirm the alert fires and routes to the monitored address.

v0.1.3Detectedition All (free seats) policy #30 · #33 ↗