Only start this once containment is complete (password reset, sessions reset, 2SV verified, filters removed). Investigating while the attacker still has access may alert them.

Use these steps to find out how they got in, what they did, and whether any other accounts are affected.

Step 1 — Review the Login audit log

Admin Console → Reports → Audit and investigation → Login audit — filter by the affected user, back at least 30 days

Look for:

  • Successful logins from unfamiliar IP addresses or countries
  • Login type = IMAP or POP — these bypass 2SV entirely
  • Logins flagged with a Suspicious login or Login challenge event
  • Multiple failed logins followed by a success (password spray)
  • Login application showing an unexpected OAuth app

If you find a suspicious successful login, check whether the user received a phishing email shortly beforehand — this link confirms the attack chain.

Step 2 — Search the Gmail and Admin audit logs

Admin Console → Reports → Audit and investigation — run separate searches for the affected user across:

  • Gmail log events — filter for Message sent, Filter created, Forwarding address added
  • Drive auditDownload, View, Share events — did the attacker access sensitive files?
  • Admin audit — any unexpected admin-level actions by or on the account
  • OAuth token grant events — look for any third-party app being granted access during the compromise window

If audit log data is missing, check your retention settings — Workspace audit logs default to 180 days but this varies by licence.

Step 3 — Trace all sent emails

  1. Admin Console → Reports → Audit and investigation → Gmail log events
  2. Filter: Sender = compromised account, Action = Message sent, date range covering the compromise window
  3. Export the results — this gives you the full recipient list for notifications, the sending timeframe, and whether internal users were targeted

Check whether internal users received phishing emails — if so, treat those accounts as potentially compromised and investigate them separately.

Step 4 — Review Gmail filter and forwarding history

Even if you've already removed malicious filters, the audit log shows when they were created. Search Gmail log events for:

  • Filter created — note the filter criteria, especially any that delete or archive messages
  • Forwarding address added — note the destination address for your investigation
  • Delegate added — did the attacker grant another account access to the mailbox?

Filters that delete messages (e.g. matching 'undelivered' or 'security alert') are a key indicator — attackers use these to hide the fact that the account is sending phishing.

Step 5 — Verify enrolled 2-Step Verification methods

  1. Admin Console → Users → select user → Security → 2-step verification enrolled methods
  2. Have the user confirm every enrolled method — remove anything they don't recognise (backup codes, authenticator apps, phone numbers, security keys)
  3. Check Login audit for 2-step verification enrolled events during the compromise window to see if the attacker registered their own method

If the attacker enrolled their own security key or authenticator app, enabling 2SV alone won't stop them. Always audit enrolled methods before considering the account clean.

Step 6 — Check OAuth app consents

  1. Admin Console → Security → API controls → Manage Third-Party App Access — filter by the affected user
  2. Flag any app with https://mail.google.com/ scope (full Gmail access) or https://www.googleapis.com/auth/drive scope
  3. Cross-check with audit logs: search Gmail log events for OAuth token grant events

A malicious OAuth app survives password resets and session revocations. It's one of the most common attacker persistence mechanisms in Google Workspace.

Step 7 — Check for lateral movement

  1. Drive audit: did the account access or download files beyond its own — especially shared drives or sensitive folders?
  2. Did the attacker send phishing to internal users? If yes, treat those accounts as potentially compromised
  3. Check Google Chat/Meet logs for any messages or activity during the compromise window
  4. Check Admin audit for any admin-level actions — did the attacker attempt privilege escalation?

Step 8 — Identify how they got in

Use the data above to match the attack to one of these common vectors:

Attack vector

Indicators in the logs

Remediation

Phishing / credential theft

Successful login from unfamiliar IP shortly after a phishing email was received

Enforce 2SV, deploy anti-phishing protection, user awareness training

Password spray / brute force

Multiple failed logins from the same IP followed by a success

Enforce 2SV, enforce strong passwords, consider IP-based login restrictions

IMAP/POP abuse

Login via IMAP or POP — bypasses 2SV entirely

Disable IMAP/POP and Less Secure App Access tenant-wide

Session/cookie theft (AiTM)

Login appears legitimate but session continues from a different IP after authentication

Enable Context-Aware Access, require managed/compliant devices

OAuth consent phishing

Unexpected app with Gmail scope in Connected Apps

Restrict third-party app access, allowlist trusted apps only, revoke the app

Credential reuse

Successful login from unusual location, no prior failed attempts

Enforce unique passwords, deploy credential monitoring

Investigation checklist

  1. Login audit reviewed — suspicious IPs/locations identified
  2. Gmail and Admin audit logs searched — filter changes, OAuth grants, file access
  3. Gmail log events traced — full recipient list exported
  4. Gmail filter and forwarding history reviewed (including delete filters)
  5. 2SV enrolled methods verified with the user
  6. OAuth app consents reviewed — malicious apps revoked
  7. Lateral movement checked (Drive, Chat, internal phishing)
  8. Initial access vector determined
  9. Findings documented and remediation confirmed

Problems with Proofpoint? Fix Them Fast

We diagnose and resolve Proofpoint issues quickly — from email delivery problems to configuration errors — keeping your business secure and running smoothly.

Speak to an expert