Skip to content
  • search.more.net
  • Missouri OER Hub
  • Support
  • MyMOREnet
MOREnet logo
  • Solutions
    • Connectivity
      • Internet Connection
        • Network Tools
          • Bandwidth Comparison Simulator
          • Bandwidth Download Simulator
          • Backbone Usage Map
          • Router Looking Glass
        • Service Notifications
      • DNS Hosting
      • DNS Registration
      • E-Rate
        • E-Rate Support Material
          • E-Rate Training Schedule
          • E-Rate Training Videos
          • E-Rate Documents and Statistics
      • Internet2
      • WAN Connectivity
    • Security and Data Privacy
      • MSIP 6 Standards
      • Connection Security
        • Firewall
        • Akamai Secure Internet Access
      • Employee and End-User Security and Education
        • Infosec IQ
        • Keeper
          • Keeper Security and Vault Transfer FAQs
      • Network Security
        • Virtual Servers
        • Content Filtering
          • Fortinet
          • Akamai Secure Internet Access
        • Cybersecurity Assessment
        • Endpoint Detection and Response
          • Thirtyseven4
          • ThreatDown Powered by Malwarebytes
      • Data Privacy
        • Student Privacy
          • Missouri Student Privacy Alliance
          • The Education Cooperative (TEC) Data Privacy Agreement (DPA) Service
        • Privacy Best Practices
    • Network Solutions
      • Regional Support
      • LAN Services
        • Managed Networking
        • Threat Management Solution (powered by Fortinet)
        • Network Assessments
        • Network Consulting
      • Backup and Archiving
        • Network Backup
        • SecondWeb
      • Virtual Servers
      • Website Services
        • Web Hosting
        • Web Accessibility Guide
      • Wireless
        • Aruba
        • eduroam
        • Wireless Surveys
    • Classroom Tools and Resources
      • Online Resources
        • Included Online Resources with MSP
        • For Fee Online Resources
      • K-20 Interoperable Data Solution (KIDS)
        • MOREnet KIDS
        • KIDS Ed-Fi
      • Missouri OER Hub
    • Collaboration
      • Video Resources
        • Managed Video Classroom
      • Discussion Lists
      • Microsoft Licensing
    • Consortium Discounts
  • Community
    • Community
    • Professional Development
      • Training Schedule
        • On-Demand Training
      • Artificial Intelligence
      • The MILL
      • Computer Science Standards
        • Computer Science Training
      • Getting Started With Tech
      • Course Information
        • In-services
        • Trainer Profiles
        • Graduate Credit
        • Contracted Training
      • Subscribe to our Newsletter
    • Events
      • Annual Conference
      • Technical Training Summit
      • Summer Training
      • QCaMP
      • Student Data Privacy Regional Discussions
      • Columbia Sleeping Room Rates for In-person Training
    • Missouri Cybersecurity Challenge
      • Missouri Cybersecurity Challenge – FAQ
    • Collaborations
      • eduroam
      • Esports
      • K12TechPro
      • Public-Private Partnerships
        • Research and Education Networks
  • Membership
    • Membership
      • MyMOREnet
    • K-12 Public and Private
    • Public Library
      • REAL Program Goals
      • REAL Policies
        • REAL Membership
        • Connectivity
          • Connection Upgrade Process
          • Wireless Access at REAL Program Libraries
        • REAL E-Rate Requirements
    • Higher Education
      • Missouri Higher Education Information Technology (MoHEIT)
    • Nonprofit and Agency
    • Affiliates
  • Blog
Home ▸ Blog ▸ Detailed Tips for Investigating a Google Account Compromise 

Detailed Tips for Investigating a Google Account Compromise 

MOREnet logo with school building graphic

This information is intended to assist with investigation and mitigation for a compromised organization Google account. Note: More investigation beyond the steps in this document may be necessary to determine the full extent of the event, including whether or not any other accounts were compromised or data was breached. In addition, following the organization’s incident response plan, if appropriate, is recommended. 

Questions to consider: 

  • How did this incident start? 
  • When did this start? 
  • What happened? 
  • Which accounts were compromised (all accounts)? 
  • What other files/data were accessed? 
  • What other SSO systems were accessed? 
  • What other email messages were viewed/deleted/etc.? 
  • What passwords could be compromised via Google password manager? 
  • What can be changed to prevent this from happening in the future? 

Immediate First Steps (Containment) 

In the Google Admin Console, within the Users section 

  1. Reset Password for the user 

Within Security tab:                                                                                                                                    

  1. Click on Sign-in Cookies and click Reset 
  1. Connected applications and devices; click on the edit pencil and then delete (trash can) next to each application 
  1. Suspend the user account as needed, during investigation  

Additional Investigation 

Accessing Google Investigation Search:

Education Plus Version: Log into Google Admin console, Security, Investigation Tool 

Google Workspace Free Version:  Go to Audit and Investigation page in the Admin console.   

Who clicked the link:

  1. Gmail message filter 
  1. For user sender is choose the phish sender’s account 
  1. Recipient is and choose an account who received the message 
  1. Find a copy of the email that was sent, then copy that email subject 
  1. New search: Attribute subject is and paste the subject of the email sent 
  1. Then deleted all the emails that were sent internally (Education Plus, only) 
  1. Then check gmail log events 
  1. Event is choose: link click  
  1.  Subject contains [subject of the email sent] 
  1.  For any user who appears in this search, force password change. 
  1.  Checked the login events for each of the users that had clicked the link 

 

When/Where/IP that logged into compromised account(s):

  1. Go back to the original user account that is now disabled 
  1. Choose user log events 
  1. Event is choose: successful login 
  1. User contains: enter compromised user’s account 
  1. Check the IP addresses of the log in events, ruled out the building IP and user’s home network IP. Compromised IP address may say “is suspicious” is true and country of origin may be different than the US. 
  1. Find date and time of the compromise then check the user’s emails from then and prior to find any prior suspicious messages.  
  1. Once find root cause email, check for other users who clicked the link in the root cause message 

Note: original email compromise may have been occurred days/weeks prior to the latest email messages going out from the organization. 

Did malicious IP use Google Takeout to mass-export? 

  1. Look at Takeout log events 
  1. Choose IP address contains [malicious IP] 

Look at Single Sign On events (Were other systems accessed via SSO?)

  1. Look at SAML log events
  2. Choose IP address contains [malicious IP] 
  3. Choose Actor contains; choose the compromised account 

Were contacts exported?

  1. Look at Contacts log events 
  1. For Actor contains choose the compromised account 
  1. Verify that contacts were exported (consider what information was exported—example: home phone numbers, addresses, etc.) 

Check for Google Drive log events 

These are only available for so long; check as soon as you know an account was compromised. IP address contains; choose the compromised IP address 

  1. This will show documents that were shared, deleted, viewed, edited 

What other email messages were accessed, forwarded, deleted? 

These are only available for so long; check as soon as you know an account was compromised. 

  1. Gmail log events=> IP address contains choose the compromised IP Address 
  1. Check what email was accessed, forwarded, deleted 

Additional User log events

  1. Choose User log events
  2. User contains choose the compromised account 

Other Systems 

If the user stores passwords in Google or uses single sign-on for other systems, also check logs for those systems to see when the user’s account accessed the system/data. 

Notifying Other Organizations 

If the phishing attempt originated from a compromised valid account, call or email the originating organization’s IT department or main phone number.  

If your organization’s compromised user emailed external contacts, notify those contacts or their technical support.  In the notification, include: 

  • Sender 
  • Email subject 
  • Other confirmed and relevant information about the email such as details of what happens if the user clicks the link/opens attachment 
  • For notifications to technical support, obfuscate (change) any reference to malicious links, so the links don’t resolve. (Example: replace “https” with “hxxp” and add brackets “[.]” around dots in the link.)  
  • Include the advice that any user who clicked link/interacted with the email message should notify their technical support. 
  • If applicable, advise recipients to: 
  • Revoke all sign-in cookies/sessions 
  • After revoking, change password 

Notes: 

  • Avoid advising whether or not recipients should delete the email message. 
  • Avoid statements regarding data being compromised or not compromised unless advised by legal counsel. 

 

Additional Mitigation and Protection

  • Ensure all organization devices are up to date on operating system and browser versions. 
  • Consider re-imaging/wiping and re-installing Windows for any device where the user opened a malicious attachment or potentially interacted with malware via a link click. 
  • Ensure email spoofing is prevented, if you have not already set up DMARC/DKIM/SPF: 
  • Email Spoofing 
  • Google Set up DMARC 
  • Google Set up DKIM 
  • Google Set up SPF 
  • Set limits on max recipients by OU. 
  • Establish data region where Google data is stored (example: US-based servers, only) 
  • Enable advanced phishing and malware protections 
  • Enable Google Vault (data retention and incident investigation) 
  • Tuned role-based access (in addition to User and Super Admin, see the other the various administrator access types) 
  • Implement Data Loss Prevention rules– to alert for accidental sharing of data such as banking information, credit card information, social security numbers, etc.  

Additional settings to consider: 

  • Context-Aware Access  
  • Automatic AI classification of Google Drive files 

Additional Resources 

Blog articles:  

Mitigating a Successful Phish

Google: Identify and Secure a Compromised Accounts (for admin) 

Google: Secure a Hacked Account (for admin) 

Google tips to secure a hacked account (for user) 

Gmail Quarantine 

Blog, Employee and End-User Security and Education, Network Security, Security and Data PrivacyGoogle account compromise, phishing

Post navigation

Updated Top 10 Priorities for a Cybersecurity and Data Privacy Program
Missouri Military Academy Wins Annual Missouri High School Cybersecurity Challenge

Author

Sonia Kesselring

Published

February 19, 2026

Subscribe to our Blog

Want to receive notifications when we post new blog entries? Sign up here!

Subscribe

About us
  • MOREnet History
  • MOREnet Leadership
  • The MOREnet Network
  • Research

Resources

  • Employment Opportunities
  • Backbone Usage Map
  • Questions or Comments?
  • Publications

Policies

  • Service Policies
  • Terms and Conditions
  • Payment Policy
  • Membership Pricing Information
  • Accessibility

Connect with us

  • Contact Us
  • Locate Us
  • X (Twitter)
  • LinkedIn
  • Facebook

Subscribe to Our Newsletter

Sign up for our monthly newsletter about professional development opportunities and resources for educators.

Subscribe

Copyright © Curators of the University of Missouri. All rights reserved. Copyright, DMCA, privacy information
Proudly powered by WordPress | Education Hub by WEN Themes