GRIDTIDE’s C2 Is a Google Sheet You Don’t Own. Your Workspace Audit Log Is Blind to It
UNC2814’s GRIDTIDE backdoor runs command-and-control through an attacker-controlled Google Sheet — reached via the attacker’s own service account and Cloud project, not the victim’s Workspace tenant — so the victim’s Workspace audit logs never see it. The detection has to come from egress and the host, and the real fix is default-deny outbound from your server tiers.