Google Workspace suspicious login
Description
AlphaSOC detected a suspicious login to a Google Workspace account. Google identifies certain login attempts as suspicious based on factors such as unusual location, unfamiliar device, or login patterns inconsistent with the user's typical behavior.
Impact
Suspicious logins may indicate that threat actors have obtained valid credentials and are attempting to access organizational resources. Successful unauthorized access can lead to data theft, email compromise, document exfiltration, and lateral movement to other connected services.
Severity
| Severity | Condition |
|---|---|
Low | Google Workspace suspicious login |
Investigation and Remediation
Review Google Workspace audit logs to identify the specific login event, including source IP address, device information, and geographic location. Verify with the user whether the login was legitimate.
If unauthorized, immediately reset the user's password and revoke all active sessions. Enable or verify multi-factor authentication is configured. Review the user's recent activity for signs of data access or exfiltration. Check for any email forwarding rules or application permissions that may have been added.
Known False Positives
- Legitimate users logging in from new locations during travel
- VPN usage causing geographic inconsistencies
- New device or browser being used for the first time