Duet AI is now Gemini for Google Workspace. Learn more

Investigate reports of malicious emails

Security investigation tool

As an administrator, you might become aware of a malicious email that several users in your organization have received.

Using the investigation tool, you can identify all users in your domain that have received the message (for example, a phishing email). You can then use the investigation tool to delete the email from your users' Gmail inboxes (note that log data might take up to a few minutes to become available in the investigation tool).

You can also use the investigation tool to take other actions, such as marking an email as spam or phishing or sending it to the user's inbox.

Your access to the security investigation tool

  • The security investigation tool requires a premium Google Workspace edition (Enterprise Standard, Enterprise Plus, or Education Plus).
  • You can access logs using the Chrome browser for the Google apps you have installed. For example, Gmail.
  • Your ability to run a search in the investigation tool depends on your Google edition, your administrative privileges, and the data source. If you're unable to run a search in the investigation tool for a specific data source, you can use the audit and investigation page instead. 
  • You can run a search in the investigation tool on all users, regardless of the Google edition they have.

Note: Some features in the security investigation tool—for example, data related to Gmail and Drive—are not available with Cloud Identity Premium or Enterprise Standard editions. For details see Data sources in the investigation tool.

Find and delete malicious emails

1. Get started with your investigation
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. In the Admin console, go to Menu and then Securityand thenSecurity centerand thenInvestigation tool.
  3. Click Data source and select Gmail log events.
  4. Click Add Condition.
  5. Click Attributeand thenTo (Envelope).
  6. Click Containsand thenIs.
  7. For To (Envelope), enter the username that received the malicious email—for example,
  8. Click Add Condition.
  9.  Click Attributeand then Subject and make sure the condition is set to Contains (the default option).
  10. For Subject, enter words that match the subject of the malicious email—for example, Dancing Santa.
    The words in your search don't need to be an exact match of the email's subject.
  11. Click Add Condition.
  12. For Condition, click Date.
  13. Change the condition to After.
  14. For Date, enter the earliest date and time when the suspicious email was received by your users.
  15. Click Search.
2. View and export the search results

After you finish the above steps, the search results display in a table at the bottom of the page. The table shows the date and time the message was sent, the message ID, the subject, the sender's email address, and the recipient's email address.

To export these search results to your My Drive folder, click Export all at the top of the table. 

For more details, see View search results in the investigation tool.

3. Search for other users that may have received the malicious email
  1. To remove the Recipient condition from the above search criteria, click. Your search will then include only the Subject and Date criteria.
  2. To search for other users that may have received the malicious email, click Search.

    The search results are displayed in a table at the bottom of the page. Similar to the search results in step 1 above, the table displays the date and time the message was sent, the message ID, the subject, the event type, and the sender's email address. However, the results also include the email addresses of other users in your organization that received the malicious email.
  3. To export these search results to your My Drive folder, click the Export icon at the top of the table. 
4. Delete the malicious emails from your users' inboxes
  1. In the table at the bottom of the investigation tool, click the checkbox to select all. This automatically checks each box in the current page of the search results.
  2. From the Actions menu, click Delete messages.
  3. Type in a justification for the deletion task for example, “Suspected malicious emails,” 
  4. Click Delete.

    This action deletes messages from users’ inboxes that match the message ID and owner, either sender or receiver depending on the event type, corresponding to the selected Gmail log events. Erased messages will still be subject to any applicable retention rules and holds set in Vault (for more details about retention rules and holds, see the Vault Help Center). 

Note: In addition to erasing an email, you also have the option to take other actions such as marking the email as spam, marking it as phishing, or sending to the user's inbox.

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu