4 Tell-tale Signs of a Compromised Google Workspace Account (and what to do next)

Tell-tale signs of a compromised google workspace account

See GAT Labs
in action

Table of Contents

How to identify and address a compromised Google Workspace account?

(Note: This post is for Google Workspace Admins. You’ll need an Admin account to perform most of the recommended actions below).

A Google account can be a pretty BIG target for cyber criminals. Especially if it it’s rich with valuable data or sensitive information that attackers would ‘virtually’ kill for.

Today, with remote work and eLearning being the norm, cyber criminals are more determined than ever to leverage any security gaps in this remote shift to get in.

In fact, if we look at the biggest cloud security incidents since 2020, we’ll find that most of them craftly target standard users and busy employees to gain unauthorised access.

That’s why Google Workspace admins need to stay extra vigilant to any suspicious footprints by the doors of their domain.

In this blog post we’ll help you learn how to identify and address compromised accounts on time. So keep on reading!


The 4 Tell-tale signs of a Compromised Google Workspace Account


1. Unexpected Logins from Abroad 

Recently, while investigating logins to Google Workspace domains, our team noticed a large number of logins to domains from outside their home countries.

For companies allowing employees to work remotely from abroad, this would be normal, and cyber criminals are well aware of that.

That’s why, as an admin, you need to stay alerted on suspicious logins from ‘unexpected’ areas outside your country or city.

Ideally, you’d prepare a whitelist of countries (or cities) where you’d expect remote employees to login from. Then, you’d want to set up alerts for logins from outside these areas you specified. 

Quick Tip: You can use third-party tools like GAT+ to easily set up alerts for logins from ‘unexpected’ areas outside your city or country.


2. Failed Login attempts

A spike in failed login attempts and password reset messages is another alarming sign of someone trying to break into your domain. 

While attackers may fail a few times at first, how can you be sure they didn’t get it right eventually ? 

To that, you need to check two areas in your admin console:

  1. The user Login attempts report: To identify such spikes as you go. 
  2. The Login audit log: To track and review user logins to your domain.

You can also share our blog post The 10 Do’s and Don’ts of Password Security with your users to help them improve their password security game.

Constant User Identity Verification for Google Workspace

You might be thinking “But why do I need to worry about that if I have Two-factor authentication (2FA) enabled for all users?’’

Well, after attackers have been able to disable 2FA in their attacks recently, it became obvious that Multifactor Authentication (MFA) is the safest Identity and Access Management (IAM) option today.

Additionally, hackers now tend to login once only and stay connected for a long time to avoid suspicious multiple login events. 

This also gives them time to extract as much data as possible before being detected.






3. Unusual Google mail activity

Attackers understand that users are usually too busy to stop and investigate minor email irregularities that get lost in the noise of daily events.

For example, when missing an urgent email from a colleague, most employees would have the sender ‘resend it’ ASAP, rather than stop and investigate the cause. 

Building on that, attackers tend to:

  1. Set up email forwarding rules to send mail to an external address.
  2. Delete incoming mail.
  3. Create new folders with unsuspicious names like “Events” to use as a new inbox within a compromised account.
  4. Send out emails with phishing links from the compromised account to internal users to establish a sense of trust.
  5. Send out spam emails with a comically large BCC count.

There are two ways to stay one step ahead of attackers here:

  1. Set up Gmail alerts for suspicious activity is one of the most effective ways to stay on top of these signs.
  2. Use a phishing incident response tool to control the spread of the damage if you ever have to deal with scenario #4.


4. Suspicious Drive File Sharing Activity

This is a huge RED FLAG that requires instant investigation.

Things like unknown sharing parties, spikes in file sharing, file download or transfer can all indicate that your domain has been compromised. 

These activities could also signal that your domain is leaking data or is infected with malware, which also requires prompt investigation.

To get a general view into Drive file shares simply visit the File Exposure Report in your admin console.

Going beyond admin console Drive audit capabilities?

Dig up more granular insights on Drive file shares & Set up powerful Drive DLP rules & alerts beyond those available in the admin console using GAT+ (Watch this video to learn more).


Dealing with a Compromised Google Workspace Account situation? — Here’s what to do:


If you have suspicions about a particular account(s), we recommend first checking with the account owner(s). Maybe they’ve been abroad recently, logged in from a new device or forgot their password, etc.

If you confirm that the account in question has in fact been compromised, promptly follow the security steps outlined by Google here.

Remember, Speed is crucial here — You’d want to make sure that the lag time between spotting one of those tell-tale signs and investigating and addressing it isn’t too long.

Finally, users should also be advised to run Google’s security Checkup from time to time to review security-related activity on their accounts.  It literally takes a few seconds.


Need more help identifying a compromised Google Workspace account or want to learn more about how GAT can help you ramp up your domain’s security? — Contact our team here. We’ll be happy to help!

Stay in the loop

Sign up to our newsletter to get notified whenever a freshly baked blog post is out of our content oven.

Related Posts

Admin, are you Monitoring these Cloud Security Risks?
Cloud Security

Admin, are you monitoring these cloud security risks?

Do you know which are the most significant cloud security risks and how to deal with them? In a cloud-centric world of instant data sharing …

Read More
Quick guide to Data Loss Prevention for Google Chrome (1)
Chrome browsing

Quick guide to Data Loss Prevention for Google Chrome

Why is Data Loss Prevention for Google Chrome important — and how can admins get it right? In a browser-centric world of perpetual data sharing, …

Read More
Common Google Drive Problems for Admins

[Solved] 3 Common Google Drive Admin Problems

Make these Google Drive admin problems simpler with smart fixes Google Drive has completely changed the file sharing, storage and collaboration game over the past …

Read More
Hoe to secure Google Drive file sharing

Secure Google Drive File Sharing in 3 Steps (for Google Admins)

Secure Google Drive File Sharing: Audit, Manage, Automate! Google Drive file sharing has revolutionised the way we work. We can now collaborate faster in real-time …

Read More