Project Description

📖 3 mins read

How to know if there’s a compromised Google Workspace account in your domain?

A Google account is a pretty BIG target for cyber criminals. Why? Simple — it’s rich with valuable data and sensitive information that attackers would ‘virtually’ kill for.

And now, with remote work and eLearning being the norm, cyber criminals are more determined than ever to leverage any security gaps in this remote shift to get in.

In fact, if we look at the biggest cloud security incidents of 2020, we’ll find that most of them craftly targeted standard users and employees to gain unauthorised access.

That’s why Google Workspace admins need to stay vigilant to any suspicious footprints by the doors of their domain to spot and address compromised accounts on time. 


The Top 4 Tell-tale signs of a Compromised Google Workspace Account

  • Unexpected Logins from Abroad ?

Recently, while investigating logins to Google Workspace domains, our team noticed a large number of logins to domains from outside their home country.

For companies allowing employees to work remotely from abroad during the pandemic, this would be normal. And cyber criminals are well aware of that.

That’s why, as an admin, you need to stay alerted on suspicious logins from ‘unexpected’ areas outside your country or city.

Ideally, you’d prepare a list of countries (or cities) where you’d expect remote employees to login from. Then, you’d want to set up alerts for logins from outside these areas you specified. 

Blog- 4 Tell-tale Signs of a Compromised Google Workspace Account
  • Failed Login attempts ⛔

A spike in failed login attempts and password reset messages is another alarming sign of someone trying to break into your domain. 

And while attackers may fail a few times at first, how can you be sure they didn’t succeed eventually ? 

To that, you need to check two areas in your admin console:

  1. The user login attempts report: To identify such spikes as you go. 
  2. The Login audit log: To track and review user logins to your domain.


Constant User Identity Verification for Google Workspace

You might be thinking “But why do I need to worry about that if I have Two-factor authentication (2FA) enabled for all users?’’

After attackers were able to disable 2FA in 2020, it became obvious that MFA should always be enforced. Read more.

Additionally, hackers now tend to login once only and stay connected for a long time to avoid suspicious multiple login events. 

This also gives them time to extract as much data as possible before being detected.

Blog- 4 Tell-tale Signs of a Compromised Google Workspace Account 2
  • Unusual Google mail activity ?

Attackers understand that users are usually too busy with work tasks to stop and investigate minor email irregularities that get lost in the noise of daily events.

For example, when missing an urgent email from a colleague, most employees would have the sender ‘resend it’ ASAP, rather than stop and investigate the cause. 

Building on that realisation, attackers tend to:

  1. Set up email forwarding rules to send mail to an external address.
  2. Delete incoming mail.
  3. Create new folders with unsuspicious names like “Events” to use as a new inbox within a compromised account.
  4. Send out emails with phishing links from the compromised account to internal users to establish a sense of trust.
  5. Send out spam emails with a comically large BCC count.


Setting up Gmail alerts for suspicious gmail activity is one of the most effective ways to stay on top of these signs. 

As an Admin, you’d also want to use a phishing incident response tool to control the spread of the damage if you ever encounter scenario #4.


  • Suspicious Drive File Shares ?

This is a huge RED FLAG that always requires further investigation.

Things like unknown sharing parties, spikes in file sharing, file download or transfer can all indicate that your domain has been compromised. 

These activities could also signal that your domain is leaking data or infected with malware, which also requires prompt investigation.

To get a general view into Drive file shares simply visit the File Exposure Report in your admin console.


Going beyond admin console Drive capabilities?

Dig up more granular insights on Drive file shares & Set up powerful Drive DLP rules & alerts beyond those available in the admin console using GAT+ — Watch this video to learn more.


Dealing with a Compromised Google Workspace Account situation? Here’s what to do.

When you have suspicions about a particular account(s), we recommend first checking with the account owner(s). Have they been abroad recently, logged in from a new device or forgot their password, etc.?

If you confirm that the account in question has in fact been compromised, promptly follow the security steps outlined by Google here.

Remember, Speed is crucial here — You’d want to make sure that the lag time between spotting one of those tell-tale signs and investigating and addressing it isn’t too long.

Finally, users should also be advised to run Google’s Security Checkup from time to time to review security-related activity on their accounts. It literally takes a few seconds.


Found this post useful? — Make sure to share the knowledge with your friends and peers on social media using the buttons below ?


Thanks for sharing and spreading the word!