Investigate and take action on suspicious session cookies

As a Google Workspace administrator, you can use email alerts to notify you if users are signed out due to suspicious session cookies. Cookie theft hijacking, or session hijacking, is stealing a user’s session ID using cookies generated when they sign in to their account. Whenever a suspicious session cookie is detected, the session is terminated, and the user is logged out of their account for that session and any related suspicious sessions on that device. 

When the user attempts to re-sign in on the same device, they see a message prompting them to remove malware or unsafe software. The user must also provide an extra verification step when signing back into the account on the device.

Using the security investigation tool (SIT) or the audit and investigation tool, you can identify attempts to hijack user accounts via session cookies in your organization.

Step 1: Start your investigation

Option 1: Investigate suspicious session cookies in SIT

Supported editions for the User log events data source in the investigation tool:
Enterprise Plus, Education Plus, Cloud Identity Premium, Enterprise Standard, Education Standard

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenSecurity centerand thenInvestigation tool.
  3. From the Data source menu, select User log events.
  4. From the Add Condition menu, select Event, and make sure the condition is set to Is (the default option).
  5. From the Event menu, select User signed out due to suspicious session cookie
  6. Click Search
    The search results are displayed at the bottom of the page.

Option 2: Investigate suspicious session cookies in the audit and investigation page

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Reportingand thenAudit and investigationand thenUser log events.
  3. Click Add a filter, and then select Event.
  4. In the pop-up window, make sure the operator in the top menu is set to Is (the default option), select User signed out due to suspicious session cookie from the lower menu and click Apply.
  5. Click Search
    The logs are displayed at the bottom of the page. 

Step 2: Take action

In the Description column, click Suspicious session cookie to open the Log details pane. If it says True in the Is suspicious row, help the affected users complete the steps to Remove malware or unsafe software.

Secure compromised accounts

If you suspect that an account may be compromised or hijacked, as an administrator you can ensure that your users' accounts are secure. Work with affected users to Identify and secure compromised accounts.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu