Skip to content
  • search.more.net
  • Missouri OER Hub
  • Support
  • MyMOREnet
MOREnet logo
  • Solutions
    • Connectivity
      • Internet Connection
        • Network Tools
          • Bandwidth Comparison Simulator
          • Bandwidth Download Simulator
          • Backbone Usage Map
          • Router Looking Glass
        • Service Notifications
      • DNS Hosting
      • DNS Registration
      • E-Rate
        • E-Rate Support Material
          • E-Rate Training Schedule
          • E-Rate Training Videos
          • E-Rate Documents and Statistics
      • Internet2
      • WAN Connectivity
    • Security and Data Privacy
      • MSIP 6 Standards
      • Connection Security
        • Firewall
        • Akamai Secure Internet Access
      • Employee and End-User Security and Education
        • Infosec IQ
        • Keeper
          • Keeper Security and Vault Transfer FAQs
      • Network Security
        • Virtual Servers
        • Content Filtering
          • Fortinet
          • Akamai Secure Internet Access
        • Cybersecurity Assessment
        • Endpoint Detection and Response
          • Thirtyseven4
          • ThreatDown Powered by Malwarebytes
      • Data Privacy
        • Student Privacy
          • Missouri Student Privacy Alliance
          • The Education Cooperative (TEC) Data Privacy Agreement (DPA) Service
        • Privacy Best Practices
    • Network Solutions
      • Regional Support
      • LAN Services
        • Managed Networking
        • Threat Management Solution (powered by Fortinet)
        • Network Assessments
        • Network Consulting
      • Backup and Archiving
        • Network Backup
        • SecondWeb
      • Virtual Servers
      • Website Services
        • Web Hosting
        • Web Accessibility Guide
      • Wireless
        • Aruba
        • eduroam
        • Wireless Surveys
    • Classroom Tools and Resources
      • Online Resources
        • Included Online Resources with MSP
        • For Fee Online Resources
      • K-20 Interoperable Data Solution (KIDS)
        • MOREnet KIDS
        • KIDS Ed-Fi
      • Missouri OER Hub
    • Collaboration
      • Video Resources
        • Managed Video Classroom
      • Discussion Lists
      • Microsoft Licensing
    • Consortium Discounts
  • Community
    • Community
    • Professional Development
      • Training Schedule
        • On-Demand Training
      • Artificial Intelligence
      • The MILL
      • Computer Science Standards
        • Computer Science Training
      • Getting Started With Tech
      • Course Information
        • In-services
        • Trainer Profiles
        • Graduate Credit
        • Contracted Training
      • Subscribe to our Newsletter
    • Events
      • Annual Conference
      • Technical Training Summit
      • Columbia Sleeping Room Rates for In-person Training
    • Missouri Cybersecurity Challenge
      • Missouri Cybersecurity Challenge – FAQ
    • Collaborations
      • Esports
      • eduroam
      • K12TechPro
      • Public-Private Partnerships
        • Research and Education Networks
  • Membership
    • Membership
      • MyMOREnet
    • K-12 Public and Private
    • Public Library
      • REAL Program Goals
      • REAL Policies
        • REAL Membership
        • Connectivity
          • Connection Upgrade Process
          • Wireless Access at REAL Program Libraries
        • REAL E-Rate Requirements
    • Higher Education
      • Missouri Higher Education Information Technology (MoHEIT)
    • Nonprofit and Agency
    • Affiliates
  • Blog
Home ▸ Blog ▸ Investigating a Compromised Google Account

Investigating a Compromised Google Account

Cybersecurity blog banner - holiday scams

To aid in response to a suspected or known Google account compromise, consider the following questions and investigation tips. (This article is the second of a 2-part series related to a current scam targeting Google accounts. The first article in the serries “Part-Time Job Application Google Account Compromise Scam: Prevention and Training” discusses steps to take to help prevent the scam from occurring.)

Questions to Answer

  • How did this incident start? 
  • When did this start? 
  • What happened? 
  • Which accounts were compromised (all accounts)? 
  • What other files/data were accessed? 
  • What other single sign-on systems were accessed? 
  • What other email messages were viewed/deleted/etc.? 
  • What passwords could be compromised via Google password manager? 
  • What can be changed to prevent this from happening in the future? 

Mitigation

  • Revoke sign-in cookies- to prevent already logged in users from continuing to access the account.
  • Disable account- to prevent any actions while investigation begins.
  • Delete phishing email messages sent to other users within organization, if this function is available. (To find all emails with a specific subject, use Gmail message filter and add a filter of Attribute subject is.)

Investigation

  • Who clicked the link: Use Google investigation tool Gmail log events filter and add filter for Subject contains [email subject] and Event is – Link clicked. Consider revoking sign in cookies and forcing a password change for any user who clicked the link in the phishing attempt.
  • Where/When/Who accessed the compromised Google account: For user log events, Event is – successful login and User contains – [compromised account]. Look around the time of the known malicious use of the account and compare IP addresses for any logins. (Some IP addresses may be the user’s home location or the organization’s network. Look for any IP addresses that appear from different/unexpected locations.) Once suspicious IP addresses are found, check successful logins to any user accounts for that IP, to get a scope and history of the compromise.
  • Was Google Takeout used to export data from the compromised account: Check for Takeout log events where IP address contains [malicious IP].
  • Were Google Drive files accessed: Check Google Drive log events for the malicious IP address. Note: this data is only available for a period of time, so this should be prioritized early in an investigation.
  • Were the compromised user’s contacts exported: Check Contacts log events.
  • Check Single Sign-On events to see where the user’s account logged in, to see if the threat actor logged into other systems.
  • What other email messages were accessed/forwarded/deleted: Check Gmail log events for the malicious IP.
  • Any other user log events: Check User log events for the compromised account.

Notifying Other Organizations

If the phishing attempt originated from a compromised valid external account, call or email the originating organization’s IT department or main phone number.  

If your organization’s compromised user emailed external contacts, notify those contacts or their technical support.  In the notification, include sender/subject/other relevant information. For notifications to technical support, obfuscate any reference to malicious links, so the links don’t resolve. (Example: put “[.]” around dots in the link.) In the notification, include the advice that any user who clicked link/interacted with the email message should notify their technical support. 

Recovery

When the investigation is complete, the compromised account access may be restored. Consider implementing multi-factor authentication requirements for the compromised account, and others accounts for the same group of users, if this is not already in place. If the compromised account had MFA already in place, consider moving to passkey instead of password authentication, or restricting MFA options to remove the vector of compromise. Initiate a password change with the valid user, where password change is required upon sign in. The password reset conversation with the user may include coaching on strong password habits and use of a secure password manager, also.

Incident After-Action

Throughout any cyber incident, including an account compromise, document and all findings and actions. The documentation can be used to create an after-action report. After an incident, assemble leadership and responders to discuss the incident process, findings, and next steps to prevent future incidents of this type.

MOREnet members may also contact MOREnet Cybersecurity for assistance during account compromise situations.

Blog, Employee and End-User Security and Education, Security and Data PrivacyGoogle account compromise, incident response

Post navigation

Student Data Privacy 101: Compliance and Resources
Teen Health and Wellness: Real life. Real Answers.

Author

Sonia Kesselring

Published

January 7, 2026

Subscribe to our Blog

Want to receive notifications when we post new blog entries? Sign up here!

Subscribe

About us
  • MOREnet History
  • MOREnet Leadership
  • The MOREnet Network
  • Research

Resources

  • Employment Opportunities
  • Backbone Usage Map
  • Questions or Comments?
  • Publications

Policies

  • Service Policies
  • Terms and Conditions
  • Payment Policy
  • Membership Pricing Information

Connect with us

  • Contact Us
  • Locate Us
  • X (Twitter)
  • LinkedIn
  • Facebook

Subscribe to Our Newsletter

Sign up for our monthly newsletter about professional development opportunities and resources for educators.

Subscribe

Copyright © Curators of the University of Missouri. All rights reserved. Copyright, DMCA, privacy information
Proudly powered by WordPress | Education Hub by WEN Themes