Google Workspace account disabled
Description
AlphaSOC detected that a Google Workspace account was disabled. Account disabling is typically performed by administrators to revoke access for departing employees, during security incidents, or as part of account lifecycle management. Unexpected account disabling may indicate unauthorized administrative access.
Impact
Disabling accounts can disrupt business operations by preventing users from accessing email, documents, and other Google services. This could be part of a broader campaign to cause operational disruption, cover tracks after data exfiltration, or deny access to key personnel during an incident.
Severity
| Severity | Condition |
|---|---|
Medium | Account disabled |
Investigation and Remediation
Review Google Workspace Admin audit logs to identify who disabled the account and when. Verify whether the action was authorized and performed by legitimate administrators as part of normal operations.
If unauthorized, immediately investigate how the attacker gained administrative access. Review other administrative actions performed by the same principal. Re-enable the affected account if appropriate and reset credentials for any compromised administrator accounts.
Known False Positives
- Standard offboarding procedures for departing employees
- Security team disabling accounts during incident response