Title: Enhance Google Workspace Inspector to Capture User Mailbox Filters (Detect Hidden Forwarding Rules)

One-Sentence Summary: Expand the Google Workspace Inspector to pull data from the Gmail API's users.settings.filters endpoint, enabling partners to detect malicious forwarding rules and unauthorized data exfiltration.

The "Why" (Partner Use Case): Bad actors are increasingly using hidden mailbox filters to maintain persistence in a compromised tenant. By setting up rules to automatically forward emails to an external address (or delete notifications), they can exfiltrate sensitive data or hide their tracks without the user ever knowing.

Currently, auditing these filters requires manually logging into user accounts or running custom scripts per tenant. Partners need an automated, scalable way to:

Audit all user filters across an entire Google Workspace environment.

Create Actionable Alerts for high-risk filter criteria (e.g., "Action: Forward" OR "Action: Delete").

Detect Persistence: Identify rules created by attackers to hide their activity (e.g., automatically trashing security alerts from Microsoft or Google).

This addition would significantly enhance the security posture of our partners' managed environments and provide a critical layer of defense against Business Email Compromise (BEC).

Technical Details & API Reference: This data is available via the Gmail API. We recommend adding a new Data View to the Google Workspace Inspector that captures the output of the users.settings.filters.list method.

API Resource: users.settings.filters

Method: list

Google Documentation: https://developers.google.com/gmail/api/reference/rest/v1/users.settings.filters/list

Required Scope: https://www.googleapis.com/auth/gmail.settings.basic (Read-only access to settings)

Proposed Data to Capture: For each filter, we should capture:

ID: Unique filter ID.

Criteria: The trigger conditions (e.g., from, to, subject, query).

Action: The automated response (e.g., addLabelIds, removeLabelIds, forward). Crucial: specifically looking for the forward property.

Example "Work Smarter" Win for Partners: Instead of a reactive fire drill after a breach, a partner could have a Liongard Alert: "Critical: Email Forwarding Rule Detected on Executive Mailbox." This allows them to investigate and remediate before significant data loss occurs.