4 Tell-tale Signs of a Compromised Google Workspace Account (and What to Do Next)

How to identify and address a compromised Google Workspace account?

(Note: This post is for Google Workspace Admins. You’ll need an Admin account to perform most of the recommended actions below).

A Google account can be a pretty BIG target for cybercriminals. Especially if it’s rich with valuable data or sensitive information that attackers would ‘virtually’ kill for.

Today, with remote work and eLearning being the norm, cybercriminals are more determined than ever to leverage any security gaps in this remote shift to get in.

In fact, if we look at the biggest cloud security incidents since 2020, we’ll find that most of them craftily target standard users and busy employees to gain unauthorized access.

That’s why Google Workspace admins need to stay extra vigilant to any suspicious footprints by the doors of their domain.

In this blog post, we’ll help you learn how to identify and address compromised accounts on time. So keep on reading!

The 4 Tell-tale Signs of a Compromised Google Workspace Account

1. Unexpected Logins from Abroad 

Recently, while investigating logins to Google Workspace domains, our team noticed a large number of logins to domains from outside their home countries.

For companies allowing employees to work remotely from abroad, this would be normal, and cybercriminals are well aware of that.

That’s why, as an admin, you need to stay alert on suspicious logins from ‘unexpected’ areas outside your country or city.

Ideally, you’d prepare a whitelist of countries (or cities) where you’d expect remote employees to log in from. Then, you’d want to set up alerts for logins from outside the areas you specified. 

Quick Tip: You can use third-party tools like GAT+ to easily set up alerts for logins from ‘unexpected’ areas outside your city or country.

2. Failed Login Attempts

A spike in failed login attempts and password reset messages is another alarming sign. It means that someone trying to break into your domain. 

While attackers may fail a few times at first, how can you be sure they didn’t get it right eventually? 

To that, you need to check two areas in your admin console:

1. The user Login attempts report: To identify such spikes as you go. 
2. The Login audit log: To track and review user logins to your domain.

You can also share our blog post The 10 Do’s and Don’ts of Password Security with your users to help them improve their password security game.

Constant User Identity Verification for Google Workspace

You might be thinking “But why do I need to worry about that if I have Two-factor authentication (2FA) enabled for all users?’’

Well, after attackers have been able to disable 2FA in their attacks recently, it became obvious that Multifactor Authentication (MFA) is the safest Identity and Access Management (IAM) option today.

Additionally, hackers now tend to log in once only and stay connected for a long time to avoid suspicious multiple login events. 

This also gives them time to extract as much data as possible before being detected.

3. Unusual Google Mail Activity

Attackers understand that users are usually too busy to stop and investigate minor email irregularities that get lost in the noise of daily events.

For example, when missing an urgent email from a colleague, most employees would have the sender ‘resend it’ ASAP, rather than stop and investigate the cause. 

Building on that, attackers tend to:

1. Set up email forwarding rules to send mail to an external address.
2. Delete incoming mail.
3. Create new folders with unsuspicious names like “Events” to use as a new inbox within a compromised account.
4. Send out emails with phishing links from the compromised account to internal users to establish a sense of trust.
5. Send out spam emails with a comically large BCC count.

There are two ways to stay one step ahead of attackers here:

1. Setting up Gmail alerts for suspicious activity is one of the most effective ways to stay on top of these signs.
2. Use a phishing incident response tool to control the spread of the damage if you ever have to deal with scenario #4.

4. Suspicious Drive File Sharing Activity

This is a huge RED FLAG that requires instant investigation.

Things like unknown sharing parties, spikes in file sharing, file download, or transfer can all indicate that your domain has been compromised. 

These activities could also signal that your domain is leaking data. Or it is infected with malware, which also requires prompt investigation.

To get a general view of Drive file shares simply visit the File Exposure Report in your admin console.

Going beyond admin console Drive audit capabilities?

Dig up more granular insights on Drive file shares & Set up powerful Drive DLP rules & alerts beyond those available in the admin console using GAT+ (Watch this video to learn more).

Dealing with a Compromised Google Workspace Account situation? — Here’s what to do:

If you have suspicions about a particular account(s), we recommend first checking with the account owner(s). Maybe they’ve been abroad recently, logged in from a new device or forgot their password, etc.

If you confirm that the account in question has in fact been compromised, promptly follow the security steps outlined by Google here.

Remember, Speed is crucial here — You’d want to make sure that the lag time between spotting one of those tell-tale signs and investigating and addressing it isn’t too long.

Finally, users should also be advised to run Google’s security Checkup from time to time to review security-related activity on their accounts.  It literally takes a few seconds.

Need more help identifying a compromised Google Workspace account? Want to learn more about how GAT can help you ramp up your domain’s security? Contact our team here. We’ll be happy to help!