I just finished reading Google's new report about a Chinese espionage group that spent over a year inside North American medical and military research networks. What stands out is how ordinary their method was. They used a standard Google Workspace admin feature called a content compliance rule, which lets admins flag emails based on certain words or addresses. The attackers set up one of these rules, called it "Patroit" (misspelling Patriot), and used it to secretly BCC every matching email to a Gmail account they controlled. This gave them a steady stream of sensitive defense, policy, and medical research emails, all through a feature that was working exactly as intended.

Here are a few important points to consider:

- The attackers got in through a REDCap server that was exposed to the internet. Hospitals and universities often use these servers to store clinical research data. The first known break-in happened in September 2023.

- They installed malware called InfiniteRed to steal real login credentials, then used admin accounts to move through the network.

- The data theft relied on a legitimate, built-in feature. There were no suspicious files to detect.

This last point is important. We invest heavily in finding malware and suspicious files. But a configuration rule set up by an admin on an ordinary day just looks like regular work. That’s why it went unnoticed for so long.

If you manage email for your company using Google Workspace or Microsoft 365, check today who can create forwarding and compliance rules, and whether anyone gets notified when those rules change. Taking a few hours to review this now could save you from much bigger problems down the road.

https://www.theregister.com/research/2026/06/15/google-says-prc-linked-spies-hid-in-medical-research-networks-for-more-than-a-year/5254547

#Cybersecurity #InfoSec #RiskManagement #security #privacy #cloud #email