Google Workspace account hijacked
Description
AlphaSOC detected that Google has flagged a Workspace account as hijacked. This is a high-confidence determination by Google's security systems that the account has been taken over by an unauthorized party, typically resulting in immediate account suspension.
Impact
A hijacked account represents confirmed unauthorized access to organizational resources. Attackers with access to the account can read and send emails, access sensitive documents, impersonate the user, and potentially move laterally to other connected systems. Data exfiltration may have already occurred by the time Google detects the hijack.
Severity
| Severity | Condition |
|---|---|
High | Account confirmed hijacked by Google |
Investigation and Remediation
Immediately treat this as a confirmed security incident. If possible, review all recent account activity including emails sent, documents accessed, and application authorizations. Identify the initial compromise vector such as phishing or credential theft.
Reset the user's password and revoke all active sessions and application permissions. Enable or verify multi-factor authentication. Review email forwarding rules and remove any unauthorized configurations. Notify affected parties of potential data exposure. Conduct a broader investigation to determine if other accounts were compromised using similar methods.