How to identify and address a compromised Google Workspace account?
(Note: This post is for Google Workspace Admins. You’ll need an Admin account to perform most of the recommended actions below).
A Google account can be a pretty BIG target for cyber criminals. Especially if it it’s rich with valuable data or sensitive information that attackers would ‘virtually’ kill for.
In fact, if we look at the biggest cloud security incidents since 2020, we’ll find that most of them craftly target standard users and busy employees to gain unauthorised access.
That’s why Google Workspace admins need to stay extra vigilant to any suspicious footprints by the doors of their domain.
In this blog post we’ll help you learn how to identify and address compromised accounts on time. So keep on reading!
The 4 Tell-tale signs of a Compromised Google Workspace Account
1. Unexpected Logins from Abroad
Recently, while investigating logins to Google Workspace domains, our team noticed a large number of logins to domains from outside their home countries.
For companies allowing employees to work remotely from abroad, this would be normal, and cyber criminals are well aware of that.
That’s why, as an admin, you need to stay alerted on suspicious logins from ‘unexpected’ areas outside your country or city.
Ideally, you’d prepare a whitelist of countries (or cities) where you’d expect remote employees to login from. Then, you’d want to set up alerts for logins from outside these areas you specified.
Quick Tip: You can use third-party tools like GAT+ to easily set up alerts for logins from ‘unexpected’ areas outside your city or country.
2. Failed Login attempts
A spike in failed login attempts and password reset messages is another alarming sign of someone trying to break into your domain.
While attackers may fail a few times at first, how can you be sure they didn’t get it right eventually ?
To that, you need to check two areas in your admin console:
- The user Login attempts report: To identify such spikes as you go.
- The Login audit log: To track and review user logins to your domain.
You can also share our blog post The 10 Do’s and Don’ts of Password Security with your users to help them improve their password security game.
Constant User Identity Verification for Google Workspace
You might be thinking “But why do I need to worry about that if I have Two-factor authentication (2FA) enabled for all users?’’
Additionally, hackers now tend to login once only and stay connected for a long time to avoid suspicious multiple login events.
This also gives them time to extract as much data as possible before being detected.
3. Unusual Google mail activity
Attackers understand that users are usually too busy to stop and investigate minor email irregularities that get lost in the noise of daily events.
For example, when missing an urgent email from a colleague, most employees would have the sender ‘resend it’ ASAP, rather than stop and investigate the cause.
Building on that, attackers tend to:
- Set up email forwarding rules to send mail to an external address.
- Delete incoming mail.
- Create new folders with unsuspicious names like “Events” to use as a new inbox within a compromised account.
- Send out emails with phishing links from the compromised account to internal users to establish a sense of trust.
- Send out spam emails with a comically large BCC count.
There are two ways to stay one step ahead of attackers here:
- Set up Gmail alerts for suspicious activity is one of the most effective ways to stay on top of these signs.
- Use a phishing incident response tool to control the spread of the damage if you ever have to deal with scenario #4.
4. Suspicious Drive File Sharing Activity
This is a huge RED FLAG that requires instant investigation.
Things like unknown sharing parties, spikes in file sharing, file download or transfer can all indicate that your domain has been compromised.
These activities could also signal that your domain is leaking data or is infected with malware, which also requires prompt investigation.
To get a general view into Drive file shares simply visit the File Exposure Report in your admin console.
Going beyond admin console Drive audit capabilities?
Dealing with a Compromised Google Workspace Account situation? — Here’s what to do:
If you have suspicions about a particular account(s), we recommend first checking with the account owner(s). Maybe they’ve been abroad recently, logged in from a new device or forgot their password, etc.
If you confirm that the account in question has in fact been compromised, promptly follow the security steps outlined by Google here.
Remember, Speed is crucial here — You’d want to make sure that the lag time between spotting one of those tell-tale signs and investigating and addressing it isn’t too long.
Finally, users should also be advised to run Google’s security Checkup from time to time to review security-related activity on their accounts. It literally takes a few seconds.
Need more help identifying a compromised Google Workspace account or want to learn more about how GAT can help you ramp up your domain’s security? — Contact our team here. We’ll be happy to help!
Stay in the loop
Sign up to our newsletter to get notified whenever a freshly baked blog post is out of our content oven.