GAT+ serves as a powerful investigation tool, enabling administrators to trace malicious activity, perform blast-radius analysis, and answer critical incident-response questions. This article covers how to investigate an account compromise using GAT+ across four essential areas:<\/p>\n
- \n
- Pinpointing the first suspicious login<\/li>\n
- Determining the total duration of attacker access<\/li>\n
- Tracking key actions performed during the compromise<\/li>\n
- Identifying other users, files, or systems that may be affected<\/li>\n<\/ol>\n
Pinpointing the First Suspicious Login<\/h2>\n
Identifying the exact moment an attacker gained unauthorized access is crucial for establishing an incident timeline. Attackers often utilize compromised credentials from unexpected geographic locations or via known VPN\/proxy networks.<\/span><\/p>\n
Navigate to GAT+ > Audit & Management > Users Logins<\/b>.<\/p>\n
\u00a0
![\"User](\"https:\/\/gatlabs.com\/knowledge\/wp-content\/uploads\/2026\/06\/2026-06-04-19_48_02-1.png\")
<\/p>\nClick the Apply custom filter<\/b> button to isolate anomalous activity:<\/p>\n
- \n
- Set a filter such as ‘ISO region (from Google) not equal to (Your ISO Region)’ <\/strong>or ‘Country not equal to (Country name)’<\/strong>.<\/li>\n
- Filter by Event equal to ‘OK<\/strong>‘ OR ‘Risky action allowed<\/strong>‘ OR ‘Suspicious login<\/strong>‘\u00a0to see successful logins from these anomalous locations.<\/li>\n
- Look for a cluster of ‘Login failure<\/strong>‘ events immediately followed by a successful login (Event equal to OK<\/strong>), which frequently indicates a successful brute-force or credential-stuffing attempt.<\/li>\n<\/ul>\n
![\"Applying](\"https:\/\/gatlabs.com\/knowledge\/wp-content\/uploads\/2026\/06\/2026-06-05-16_44_54.png\")
<\/p>\nNote the Date<\/b>, Time<\/b>, IP Address<\/b>, and Location<\/b> of the earliest unauthorized successful login. This marks the starting point of the compromise.<\/p>\n
Determining the Duration of Attacker Access<\/h2>\n
To understand how much time the attacker had to exfiltrate data or alter configurations, you must calculate the window of exposure, the time between the initial entry and the final remediation step.<\/p>\n
Remaining in GAT+ > Audit & Management > Users Logins<\/b>, use the Apply custom filter<\/b> tool to create a filter using the specific malicious IP Address<\/b> or unique Location<\/b> identified during the first suspicious login step.<\/p>\n
![\"Filtering](\"https:\/\/gatlabs.com\/knowledge\/wp-content\/uploads\/2026\/06\/2026-06-05-14_22_03.png\")
<\/p>\nReview the login events to see all subsequent sessions established by the attacker. The duration of access is defined as the time elapsed from the first successful suspicious login timestamp to the final recorded attacker event, such as a logout.<\/p>\n
![\"User](\"https:\/\/gatlabs.com\/knowledge\/wp-content\/uploads\/2026\/06\/2026-06-05-14_11_43.png\")
<\/p>\nTracking Key Actions Performed During the Compromise<\/h2>\n
Once inside, attackers typically look to exfiltrate data, establish persistence, or move laterally. GAT+ allows you to audit specific actions taken across Google Drive and Gmail during the window of compromise.<\/span><\/p>\n
We will first check whether the compromised account has set up any email auto-forwarding or email delegate access. Navigate to GAT+ > Audit & Management > <\/b>Users > Email Info <\/strong>and filter for that user’s account.<\/p>\n
![\"Filtering](\"https:\/\/gatlabs.com\/knowledge\/wp-content\/uploads\/2026\/06\/2026-06-05-14_37_34-1.png\")
<\/p>\nYou can then delete the email delegates for any user by clicking the\u00a0x<\/strong> (1) icon beside the email address. You are also able to delete auto forwarding<\/strong> (2) setup by clicking the dropdown on the right.<\/p>\n
![\"Removing](\"https:\/\/gatlabs.com\/knowledge\/wp-content\/uploads\/2026\/06\/2026-06-05-14_45_17.png\")
<\/p>\nWe will now check whether the compromised account made any changes to Drive files. In the Drive > Events<\/b> audit area, adjust the date & time to show all files modified or shared during the compromise window.<\/p>\n
![\"Drive](\"https:\/\/gatlabs.com\/knowledge\/wp-content\/uploads\/2026\/06\/2026-06-05-15_07_35-1.png\")
<\/p>\nIdentifying Other Affected Users, Files, or Systems<\/h2>\n
An investigation is incomplete without understanding the full scale. Attackers often try to reuse credentials across multiple accounts or use a compromised account to infect other systems and files.<\/p>\n
Impact on Other Users<\/h3>\n
Navigate back to GAT+ > Audit & Management > Users Logins<\/b>. Apply a custom filter searching for the malicious IP Address<\/b> identified in your initial discovery. This will allow you to check whether the same IP address attempted or successfully logged in to other<\/i> user accounts across your Google Workspace domain.<\/p>\n
<\/p>\nImpact on Files<\/h3>\n
In the Drive > Events<\/b> audit area, adjust the date & time to show all files modified or shared during the compromise window as shown above in step 3.<\/p>\n
<\/p>\nImpact on Emails<\/h3>\n
In the Email > User Statistics\u00a0<\/strong>audit area, adjust the user (3), date (4), and click ‘Filter data’ (5). This will show results of all emails sent and received for both external and internal users. You can then click any of the numbers below, and this will redirect you to the Emails section to investigate further.<\/p>\n
![\"Email](\"https:\/\/gatlabs.com\/knowledge\/wp-content\/uploads\/2026\/06\/2026-06-05-15_26_11-2.png\")
<\/p>\nImpact on Applications<\/h3>\n
Navigate to GAT+ > Audit & Management > Applications.\u00a0<\/b>Search for any new third-party applications or OAuth API scopes authorized by the compromised user during the breach window by sorting by ‘Since’ <\/strong>(3).<\/p>\n
![\"Application](\"https:\/\/gatlabs.com\/knowledge\/wp-content\/uploads\/2026\/06\/2026-06-05-15_12_33.png\")
<\/p>\nAttackers often authorize malicious apps to maintain a backdoor into the workspace, even after their primary login session is terminated. If any unrecognized apps with extensive read\/write permissions are found, ban this application through the GAT+ interface.<\/span><\/p>\n
![\"Creating](\"https:\/\/gatlabs.com\/knowledge\/wp-content\/uploads\/2026\/06\/2026-06-05-15_19_15.png\")
<\/p>\nRelated Posts<\/h2>\n
- \n
- Set Up Gmail Alerts for Google Workspace Users with GAT+<\/a><\/li>\n
- Alert when 2FA is disabled for any user in your Google domain with GAT+<\/a><\/li>\n
- How to Set Up User Security Alerts with GAT+<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
Introduction When a Google Workspace account is suspected of being compromised, security teams must act quickly to determine the scope and impact of the breach. While standard Google alerts provide basic notifications for unusual sign-ins, conducting a thorough forensic investigation requires deeper domain-wide visibility GAT+ serves as a powerful investigation tool, enabling administrators to trace […]<\/p>\n","protected":false},"author":20,"featured_media":4504,"comment_status":"open","ping_status":"closed","template":"","meta":{"footnotes":""},"doc_category":[37,21],"glossaries":[],"doc_tag":[24],"class_list":["post-17171","docs","type-docs","status-publish","has-post-thumbnail","hentry","doc_category-dlp-data-loss-prevention","doc_category-drive-management","doc_tag-gat"],"year_month":"2026-06","word_count":805,"total_views":"15","reactions":{"happy":"0","normal":"0","sad":"0"},"author_info":{"name":"Ryan","author_nicename":"ryan","author_url":"https:\/\/gatlabs.com\/knowledge\/author\/ryan\/"},"doc_category_info":[{"term_name":"DLP (Data Loss Prevention)","term_url":"https:\/\/gatlabs.com\/knowledge\/tech-tips-category\/dlp-data-loss-prevention\/"},{"term_name":"Drive Audit & Management","term_url":"https:\/\/gatlabs.com\/knowledge\/tech-tips-category\/drive-management\/"}],"doc_tag_info":[{"term_name":"GAT+","term_url":"https:\/\/gatlabs.com\/knowledge\/tech-tips-tag\/gat\/"}],"yoast_head":"\n
Investigate Google Workspace Account Compromise with GAT+ - GAT Knowledge Base<\/title>\n<meta name=\"description\" content=\"Trace malicious activity, perform blast-radius analysis, and take critical actions. Investigate an account compromise using GAT+.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/gatlabs.com\/knowledge\/tech-tips\/investigate-google-workspace-account-compromise-with-gat\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Investigate Google Workspace Account Compromise with GAT+\" \/>\n<meta property=\"og:description\" content=\"Trace malicious activity, perform blast-radius analysis, and take critical actions. Investigate an account compromise using GAT+.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/gatlabs.com\/knowledge\/tech-tips\/investigate-google-workspace-account-compromise-with-gat\/\" \/>\n<meta property=\"og:site_name\" content=\"GAT Knowledge Base\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-08T12:12:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/gatlabs.com\/knowledge\/wp-content\/uploads\/2022\/08\/GAT.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"600\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/tech-tips\\\/investigate-google-workspace-account-compromise-with-gat\\\/\",\"url\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/tech-tips\\\/investigate-google-workspace-account-compromise-with-gat\\\/\",\"name\":\"Investigate Google Workspace Account Compromise with GAT+ - GAT Knowledge Base\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/tech-tips\\\/investigate-google-workspace-account-compromise-with-gat\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/tech-tips\\\/investigate-google-workspace-account-compromise-with-gat\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/GAT.jpg\",\"datePublished\":\"2026-06-08T08:29:32+00:00\",\"dateModified\":\"2026-06-08T12:12:30+00:00\",\"description\":\"Trace malicious activity, perform blast-radius analysis, and take critical actions. Investigate an account compromise using GAT+.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/tech-tips\\\/investigate-google-workspace-account-compromise-with-gat\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/tech-tips\\\/investigate-google-workspace-account-compromise-with-gat\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/tech-tips\\\/investigate-google-workspace-account-compromise-with-gat\\\/#primaryimage\",\"url\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/GAT.jpg\",\"contentUrl\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/GAT.jpg\",\"width\":1200,\"height\":600},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/tech-tips\\\/investigate-google-workspace-account-compromise-with-gat\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Tech Tips\",\"item\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/tech-tips\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Investigate Google Workspace Account Compromise with GAT+\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/#website\",\"url\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/\",\"name\":\"GAT Knowledge Base\",\"description\":\"Your source of all things GAT\",\"publisher\":{\"@id\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/#organization\",\"name\":\"GAT Labs Knowledge Base\",\"url\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/Group-1159.svg\",\"contentUrl\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/Group-1159.svg\",\"width\":361,\"height\":97,\"caption\":\"GAT Labs Knowledge Base\"},\"image\":{\"@id\":\"https:\\\/\\\/gatlabs.com\\\/knowledge\\\/#\\\/schema\\\/logo\\\/image\\\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Investigate Google Workspace Account Compromise with GAT+ - GAT Knowledge Base","description":"Trace malicious activity, perform blast-radius analysis, and take critical actions. Investigate an account compromise using GAT+.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/gatlabs.com\/knowledge\/tech-tips\/investigate-google-workspace-account-compromise-with-gat\/","og_locale":"en_GB","og_type":"article","og_title":"Investigate Google Workspace Account Compromise with GAT+","og_description":"Trace malicious activity, perform blast-radius analysis, and take critical actions. Investigate an account compromise using GAT+.","og_url":"https:\/\/gatlabs.com\/knowledge\/tech-tips\/investigate-google-workspace-account-compromise-with-gat\/","og_site_name":"GAT Knowledge Base","article_modified_time":"2026-06-08T12:12:30+00:00","og_image":[{"width":1200,"height":600,"url":"https:\/\/gatlabs.com\/knowledge\/wp-content\/uploads\/2022\/08\/GAT.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Estimated reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/gatlabs.com\/knowledge\/tech-tips\/investigate-google-workspace-account-compromise-with-gat\/","url":"https:\/\/gatlabs.com\/knowledge\/tech-tips\/investigate-google-workspace-account-compromise-with-gat\/","name":"Investigate Google Workspace Account Compromise with GAT+ - GAT Knowledge Base","isPartOf":{"@id":"https:\/\/gatlabs.com\/knowledge\/#website"},"primaryImageOfPage":{"@id":"https:\/\/gatlabs.com\/knowledge\/tech-tips\/investigate-google-workspace-account-compromise-with-gat\/#primaryimage"},"image":{"@id":"https:\/\/gatlabs.com\/knowledge\/tech-tips\/investigate-google-workspace-account-compromise-with-gat\/#primaryimage"},"thumbnailUrl":"https:\/\/gatlabs.com\/knowledge\/wp-content\/uploads\/2022\/08\/GAT.jpg","datePublished":"2026-06-08T08:29:32+00:00","dateModified":"2026-06-08T12:12:30+00:00","description":"Trace malicious activity, perform blast-radius analysis, and take critical actions. Investigate an account compromise using GAT+.","breadcrumb":{"@id":"https:\/\/gatlabs.com\/knowledge\/tech-tips\/investigate-google-workspace-account-compromise-with-gat\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/gatlabs.com\/knowledge\/tech-tips\/investigate-google-workspace-account-compromise-with-gat\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/gatlabs.com\/knowledge\/tech-tips\/investigate-google-workspace-account-compromise-with-gat\/#primaryimage","url":"https:\/\/gatlabs.com\/knowledge\/wp-content\/uploads\/2022\/08\/GAT.jpg","contentUrl":"https:\/\/gatlabs.com\/knowledge\/wp-content\/uploads\/2022\/08\/GAT.jpg","width":1200,"height":600},{"@type":"BreadcrumbList","@id":"https:\/\/gatlabs.com\/knowledge\/tech-tips\/investigate-google-workspace-account-compromise-with-gat\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/gatlabs.com\/knowledge\/"},{"@type":"ListItem","position":2,"name":"Tech Tips","item":"https:\/\/gatlabs.com\/knowledge\/tech-tips\/"},{"@type":"ListItem","position":3,"name":"Investigate Google Workspace Account Compromise with GAT+"}]},{"@type":"WebSite","@id":"https:\/\/gatlabs.com\/knowledge\/#website","url":"https:\/\/gatlabs.com\/knowledge\/","name":"GAT Knowledge Base","description":"Your source of all things GAT","publisher":{"@id":"https:\/\/gatlabs.com\/knowledge\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/gatlabs.com\/knowledge\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/gatlabs.com\/knowledge\/#organization","name":"GAT Labs Knowledge Base","url":"https:\/\/gatlabs.com\/knowledge\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/gatlabs.com\/knowledge\/#\/schema\/logo\/image\/","url":"https:\/\/gatlabs.com\/knowledge\/wp-content\/uploads\/2021\/11\/Group-1159.svg","contentUrl":"https:\/\/gatlabs.com\/knowledge\/wp-content\/uploads\/2021\/11\/Group-1159.svg","width":361,"height":97,"caption":"GAT Labs Knowledge Base"},"image":{"@id":"https:\/\/gatlabs.com\/knowledge\/#\/schema\/logo\/image\/"}}]}},"knowledge_base_info":[],"knowledge_base_slug":[],"_links":{"self":[{"href":"https:\/\/gatlabs.com\/knowledge\/wp-json\/wp\/v2\/docs\/17171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gatlabs.com\/knowledge\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/gatlabs.com\/knowledge\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/gatlabs.com\/knowledge\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/gatlabs.com\/knowledge\/wp-json\/wp\/v2\/comments?post=17171"}],"version-history":[{"count":11,"href":"https:\/\/gatlabs.com\/knowledge\/wp-json\/wp\/v2\/docs\/17171\/revisions"}],"predecessor-version":[{"id":17269,"href":"https:\/\/gatlabs.com\/knowledge\/wp-json\/wp\/v2\/docs\/17171\/revisions\/17269"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gatlabs.com\/knowledge\/wp-json\/wp\/v2\/media\/4504"}],"wp:attachment":[{"href":"https:\/\/gatlabs.com\/knowledge\/wp-json\/wp\/v2\/media?parent=17171"}],"wp:term":[{"taxonomy":"doc_category","embeddable":true,"href":"https:\/\/gatlabs.com\/knowledge\/wp-json\/wp\/v2\/doc_category?post=17171"},{"taxonomy":"glossaries","embeddable":true,"href":"https:\/\/gatlabs.com\/knowledge\/wp-json\/wp\/v2\/glossaries?post=17171"},{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/gatlabs.com\/knowledge\/wp-json\/wp\/v2\/doc_tag?post=17171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}} - Alert when 2FA is disabled for any user in your Google domain with GAT+<\/a><\/li>\n
- Filter by Event equal to ‘OK<\/strong>‘ OR ‘Risky action allowed<\/strong>‘ OR ‘Suspicious login<\/strong>‘\u00a0to see successful logins from these anomalous locations.<\/li>\n
- Set a filter such as ‘ISO region (from Google) not equal to (Your ISO Region)’ <\/strong>or ‘Country not equal to (Country name)’<\/strong>.<\/li>\n