This pull request adds a new emulation for creating a user and disabling 2SV to adjust authentication mechanisms. 2SV and MFA are controlled per user, not globally, therefore a user will be created and then 2SV disabled. While this is not technically indicative of an attack it is a good signal for a weakness in existing defensive measures for a Google Workspace administrator.
Overview
This pull request adds a new emulation for creating a user and disabling 2SV to adjust authentication mechanisms. 2SV and MFA are controlled per user, not globally, therefore a user will be created and then 2SV disabled. While this is not technically indicative of an attack it is a good signal for a weakness in existing defensive measures for a Google Workspace administrator.