Duet AI is now Gemini for Google Workspace. Learn more

Suspicious attachments report

Security dashboard

Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition

From this report, you can view the number of messages with suspicious attachments. Attachments that use rare and anomalous filetypes, or attachments from untrusted senders that are either encrypted or contain scripts, pose a higher risk of malicious content.

Note:  Untrusted senders are senders with no prior history with the recipient, or that have a low sender reputation.

View the suspicious attachments report

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. In the Admin console, go to Menu and then Securityand thenSecurity centerand thenDashboard.
  3. In the bottom-right corner of the Suspicious attachments panel, click View Report.

Suspicious attachments graph

This graph shows messages broken down as follows:

  • Encrypted—Number of messages with encrypted attachments. Encrypted attachments cannot be scanned for malware.
  • Contain scripts—Number of messages that contain scripts. Certain documents contain malicious scripts that can harm your devices.
  • Anomalous—Number of messages with anomalous attachments. Attachment types that are uncommon for your domain may be used to hide malicious content.

Note: You can hide lines in the graph by clicking on the legend. For example, click Contain scripts to hide this data. This is especially useful if one line overlaps another.

Using the drop-down menus above the graph, you also customize the graph to provide details only about certain types of messages:

Filter Description

Classification: All, Clean, Spam, Phishing, Malware, Suspicious

All—Include all messages.
Clean—Include only messages marked as clean by the Google spam filter.
Spam—Include only messages marked as spam by the Google spam filter.
Malware--Include only messages marked as malware.
Phishing—Include only messages marked as phishing.
Suspicious—Include only messages marked as suspicious.

Domain Choose the domain for your report.
Date range

Customize the report to view data from Today, Yesterday, This week, Last week, This month, Last month, or Days ago (up to 180 days); or enter a Start date and End date. Click Apply after you set the date range.

Note: For this report, data is displayed only for the last 31 days. For example, if you set the parameters for up to 60 days, the data in the report is cut off at 31 days.

To generate a spreadsheet with the graph’s data, click Export Sheet. A spreadsheet corresponding to the data in the graph will be generated and saved to your My Drive folder.

Compare current and historical data

To compare the current data to historical data, in the top right, from the Statistical analysis menu, select Percentile (not available for all Security dashboard charts). You’ll see an overlay on the chart to show the 10th, 50th, and 90th percentile of historical data (180 days for most data and 30 days for Gmail data). Then, to change the analysis, at the top right of the chart, use the menu to change the overlay line.

Suspicious attachments table

To view more details about suspicious attachments on specific dates, click any data point in the graph. For example, you can view data for this report by Subject, Recipient, Sender, IP address, and more.

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu