As a Google Workspace administrator, you can use email alerts to notify you if users are signed out due to suspicious session cookies. Cookie theft hijacking, or session hijacking, is stealing a user’s session ID using cookies generated when they sign in to their account. Whenever a suspicious session cookie is detected, the session is terminated, and the user is logged out of their account for that session and any related suspicious sessions on that device.
When the user attempts to re-sign in on the same device, they see a message prompting them to remove malware or unsafe software. The user must also provide an extra verification step when signing back into the account on the device.
Using the security investigation tool (SIT) or the audit and investigation tool, you can identify attempts to hijack user accounts via session cookies in your organization.
Step 1: Start your investigation
Option 1: Investigate suspicious session cookies in SIT
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu SecuritySecurity centerInvestigation tool.
- From the Data source menu, select User log events.
- From the Add Condition menu, select Event, and make sure the condition is set to Is (the default option).
- From the Event menu, select User signed out due to suspicious session cookie.
- Click Search.
The search results are displayed at the bottom of the page.
Option 2: Investigate suspicious session cookies in the audit and investigation page
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu ReportingAudit and investigationUser log events.
- Click Add a filter, and then select Event.
- In the pop-up window, make sure the operator in the top menu is set to Is (the default option), select User signed out due to suspicious session cookie from the lower menu and click Apply.
- Click Search.
The logs are displayed at the bottom of the page.
Step 2: Take action
In the Description column, click Suspicious session cookie to open the Log details pane. If it says True in the Is suspicious row, help the affected users complete the steps to Remove malware or unsafe software.
Secure compromised accounts
If you suspect that an account may be compromised or hijacked, as an administrator you can ensure that your users' accounts are secure. Work with affected users to Identify and secure compromised accounts.