Work through these steps in order. Do not stop after step 1 — a password reset alone is not enough.
Step 1 — Reset the password
- Google Admin Console (admin.google.com) → Users → select user → Reset Password
- Use a strong, unique password of at least 16 characters — don't reuse any previous password
- Tick Require a password change at the next sign-in
- Tell the user the new password by phone — not by email
If the attacker already changed the password, the Admin Console reset will override it regardless.
Step 2 — Kill all active sessions
- Admin Console → Users → select user → Reset Sign-in Cookies — this immediately signs the user out of all active sessions on all devices
- To revoke OAuth tokens: Admin Console → Users → select user → Security → Connected apps → revoke access for all apps until the account is verified clean
- Wait a few minutes, then check Admin Console → Reports → Login audit for any new sign-in activity
Resetting the password alone won't end active sessions. The attacker may still be connected — this step cuts them off immediately.
Step 3 — Enable 2-Step Verification and clean up enrolled methods
- Admin Console → Security → 2-step verification → enforce 2SV for the affected user (or their OU)
- Admin Console → Users → select user → Security → 2-step verification enrolled methods — remove any methods the user doesn't recognise (backup codes, authenticator apps, backup phone numbers, security keys)
- Require the user to re-enrol a fresh 2SV method at next sign-in
If the attacker enrolled their own authenticator or security key, simply enabling 2SV won't stop them — they'll approve their own prompt. Always audit enrolled methods.
Step 4 — Remove malicious Gmail filters and forwarding
- Sign into Gmail as the user (or via admin impersonation) → Settings (gear icon) → See all settings → Filters and Blocked Addresses — delete any filters not created by the user
- Settings → Forwarding and POP/IMAP — disable any forwarding addresses; note the address for your investigation
- Settings → Accounts → Grant access to your account — remove any delegates the user doesn't recognise
- Check for admin-set routing rules: Admin Console → Apps → Google Workspace → Gmail → Routing — look for unexpected rules on this user or their OU
Attackers commonly set filters to delete bounce-backs and security notifications so the account owner notices nothing.
Step 5 — Review and remove malicious OAuth app access
- Admin Console → Security → API controls → Manage Third-Party App Access — filter by the affected user and review all connected apps
- Also check at the user level: Admin Console → Users → select user → Security → Connected apps
- Revoke any app you don't recognise — pay particular attention to apps with https://mail.google.com/ scope (full Gmail access)
A malicious OAuth app retains access even after a password reset and session revocation. This is one of the most common attacker persistence mechanisms.
Step 6 — Check connected devices
- Admin Console → Devices → Mobile & endpoints — remove any device the user doesn't recognise
- Check Admin Console → Reports → Audit and investigation → Gmail log events — look for IMAP/POP client connections from unexpected locations
- If your organization doesn't use IMAP/POP, disable it: Admin Console → Apps → Google Workspace → Gmail → End User Access — turn off IMAP and POP
IMAP and POP access bypasses 2-Step Verification entirely and is a common initial access vector.
Step 7 — Warn recipients
- Get the full recipient list: Admin Console → Reports → Audit and investigation → Gmail log events → filter by sender (compromised account) and action = Message sent → export results
- Send a warning from a senior contact — not from the compromised account — advising recipients to delete the suspicious emails without opening attachments or clicking links
- If any recipients say they opened an attachment or clicked a link, treat their accounts as potentially compromised
Don't delay notifying recipients while waiting for the full investigation — send warnings as soon as containment is confirmed.
Step 8 — Harden the rest of the tenant
Once this account is secured, take these steps across the whole Google Workspace tenant:
- Enforce 2-Step Verification for all users: Admin Console → Security → 2-step verification → Enforcement: On
- Disable Less Secure App Access and IMAP/POP tenant-wide unless there's a documented reason not to
- Review all Super Admin and delegated admin accounts for unexpected additions
- Enable Google Workspace Audit Logging and confirm Reports data retention is set appropriately
- Consider enabling Context-Aware Access (requires BeyondCorp Enterprise) to restrict sign-ins from unmanaged devices or untrusted networks
Next: Once contained, investigate how the attacker got in here: Investigating a Google Workspace Mailbox Breach
Problems with Proofpoint? Fix Them Fast
We diagnose and resolve Proofpoint issues quickly — from email delivery problems to configuration errors — keeping your business secure and running smoothly.
Speak to an expertWas this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article