Work through these steps in order. Do not stop after step 1 — a password reset alone is not enough.

Step 1 — Reset the password

  1. Google Admin Console (admin.google.com) → Users → select user → Reset Password
  2. Use a strong, unique password of at least 16 characters — don't reuse any previous password
  3. Tick Require a password change at the next sign-in
  4. Tell the user the new password by phone — not by email

If the attacker already changed the password, the Admin Console reset will override it regardless.

Step 2 — Kill all active sessions

  1. Admin Console → Users → select user → Reset Sign-in Cookies — this immediately signs the user out of all active sessions on all devices
  2. To revoke OAuth tokens: Admin Console → Users → select user → Security → Connected apps → revoke access for all apps until the account is verified clean
  3. Wait a few minutes, then check Admin Console → Reports → Login audit for any new sign-in activity

Resetting the password alone won't end active sessions. The attacker may still be connected — this step cuts them off immediately.

Step 3 — Enable 2-Step Verification and clean up enrolled methods

  1. Admin Console → Security → 2-step verification → enforce 2SV for the affected user (or their OU)
  2. Admin Console → Users → select user → Security → 2-step verification enrolled methods — remove any methods the user doesn't recognise (backup codes, authenticator apps, backup phone numbers, security keys)
  3. Require the user to re-enrol a fresh 2SV method at next sign-in

If the attacker enrolled their own authenticator or security key, simply enabling 2SV won't stop them — they'll approve their own prompt. Always audit enrolled methods.

Step 4 — Remove malicious Gmail filters and forwarding

  1. Sign into Gmail as the user (or via admin impersonation) → Settings (gear icon) → See all settingsFilters and Blocked Addresses — delete any filters not created by the user
  2. Settings → Forwarding and POP/IMAP — disable any forwarding addresses; note the address for your investigation
  3. Settings → Accounts → Grant access to your account — remove any delegates the user doesn't recognise
  4. Check for admin-set routing rules: Admin Console → Apps → Google Workspace → Gmail → Routing — look for unexpected rules on this user or their OU

Attackers commonly set filters to delete bounce-backs and security notifications so the account owner notices nothing.

Step 5 — Review and remove malicious OAuth app access

  1. Admin Console → Security → API controls → Manage Third-Party App Access — filter by the affected user and review all connected apps
  2. Also check at the user level: Admin Console → Users → select user → Security → Connected apps
  3. Revoke any app you don't recognise — pay particular attention to apps with https://mail.google.com/ scope (full Gmail access)

A malicious OAuth app retains access even after a password reset and session revocation. This is one of the most common attacker persistence mechanisms.

Step 6 — Check connected devices

  1. Admin Console → Devices → Mobile & endpoints — remove any device the user doesn't recognise
  2. Check Admin Console → Reports → Audit and investigation → Gmail log events — look for IMAP/POP client connections from unexpected locations
  3. If your organisation doesn't use IMAP/POP, disable it: Admin Console → Apps → Google Workspace → Gmail → End User Access — turn off IMAP and POP

IMAP and POP access bypasses 2-Step Verification entirely and is a common initial access vector.

Step 7 — Warn recipients

  1. Get the full recipient list: Admin Console → Reports → Audit and investigation → Gmail log events → filter by sender (compromised account) and action = Message sent → export results
  2. Send a warning from a senior contact — not from the compromised account — advising recipients to delete the suspicious emails without opening attachments or clicking links
  3. If any recipients say they opened an attachment or clicked a link, treat their accounts as potentially compromised

Don't delay notifying recipients while waiting for the full investigation — send warnings as soon as containment is confirmed.

Step 8 — Harden the rest of the tenant

Once this account is secured, take these steps across the whole Google Workspace tenant:

  • Enforce 2-Step Verification for all users: Admin Console → Security → 2-step verification → Enforcement: On
  • Disable Less Secure App Access and IMAP/POP tenant-wide unless there's a documented reason not to
  • Review all Super Admin and delegated admin accounts for unexpected additions
  • Enable Google Workspace Audit Logging and confirm Reports data retention is set appropriately
  • Consider enabling Context-Aware Access (requires BeyondCorp Enterprise) to restrict sign-ins from unmanaged devices or untrusted networks

Next: Once contained, investigate how the attacker got in here: Investigating a Google Workspace Mailbox Breach 

Problems with Proofpoint? Fix Them Fast

We diagnose and resolve Proofpoint issues quickly — from email delivery problems to configuration errors — keeping your business secure and running smoothly.

Speak to an expert