Understand alert types

The alert center includes the following alert types:

For more details, see the sections below.

Start an investigation

If you're a G Suite Enterprise administrator, you can start an investigation based on an alert. Click one of the magnifying glass icons on the far-right side of the Alert center page. Or, from the details page, click INVESTIGATE ALERT. You can then use the investigation tool to take action—for example, to wipe a device or suspend a user. For instructions, see Start an investigation.

About timezones

The alert center doesn’t display timezone details. Times in the alert center are formatted to your Google Admin console timezone preference.

Device compromised

The Device compromised alert provides details about devices in your domain that have entered a compromised state. A device is considered compromised if it's rooted (for Android devices), if it's jailbroken (for iOS devices), or if it experiences an unusual state change.

From the Alert details page, you can view important details about this alert—including an alert summary, the date and time of the alert, the device owner, and details about the affected device. 

Suspicious device activity

If a device property is updated—for example, the device ID, serial number, type of device, or device manufacturer—it's considered suspicious device activity. The Suspicious device activity alert provides details about such a security event. 

From the Alert details page, you can view important details about this alert—including an alert summary, the date and time of the event, the device owner, details about the affected device, and descriptions of the device property updates.

User-reported phishing

A spike in user-reported phishing emails could mean that your domain is experiencing a phishing attack. The User-reported phishing alert provides details about such a security event. 

From the Alert details page, you can view important details about this alert—including an alert summary, the date and time of the event, the sender, the total number of user reports with links to a few samples, and the list of recipients that are affected.

The alert summary provides a quick overview of the event, including the number of messages in your domain that were reported as phishing, and the number of recipients. Using the details from this alert, you can take action to block the sender.

Phishing in inboxes due to bad whitelist

Messages classified as spam by Gmail filters might be delivered to user inboxes due to whitelisting settings in the Google Admin console that override the spam filters. As a result, users in your organization might receive malicious content. The Phishing in inboxes due to bad whitelist alert provides details about such a security event. 

From the Alert details page, you can view important details about this alert—including an alert summary, the date and time of the event, the sender, the source IP, the whitelist type, the number of message delivery events, and the list of recipients that are affected. Using the details from this alert, you can take action to block the sender.

Google Operations

The Google Operations alert provides details about security and privacy issues that are affecting your organization's G Suite services. 

From the Alert details page, you can view important details about this alert—including an alert summary, start date, end date, and a list of users that were affected. If available, you can also download attachments with any additional details about the alert. Additionally, G Suite Enterprise customers can link to the security investigation tool to investigate the alert.

The alert summary includes a message with details about the issue. This summary might include one short paragraph or a few paragraphs, depending on the nature of the event and the amount of information that's currently available.

Spike in user reported spam

With this alert, an unusually high volume of messages from an external sender have been marked as spam by users in your domain.

For instructions on blocking this sender, see Blocked senders setting. To find similar messages that users may not have reported, to reclassify messages, and to remove these messages from user inboxes, go to the investigation tool (for instructions, see Take action based on search results).

Suspicious message reported

With this alert, an external sender has sent messages to your domain that users have classified as spam.

For instructions on blocking this sender, see Blocked senders setting. To find similar messages that users may not have reported, to reclassify messages, and to remove these messages from user inboxes, go to the investigation tool (for instructions, see Take action based on search results).

Phishing message detected post-delivery

Unopened messages that are detected as phishing post-delivery are automatically reclassified and removed from the user's inbox. However, if a recipient has opened or otherwise interacted with such a message, it will remain in their inbox until manually removed. It is strongly recommended that all opened phishing messages be removed from user inboxes as soon as possible.

To view which messages users have interacted with and remove them from user inboxes, go to the investigation tool (for instructions, see Take action based on search results). For instructions on blocking this sender, see Blocked senders setting

Malware message detected post-delivery

Unopened messages that are detected as malware post-delivery are automatically reclassified and removed from the user's inbox. However, if a recipient has opened or otherwise interacted with such a message, it will remain in their inbox until manually removed. It is strongly recommended that all opened malware messages be removed from user inboxes as soon as possible.

To view which messages users have interacted with and remove them from user inboxes, go to the investigation tool (for instructions, see Take action based on search results). For instructions on blocking this sender, see Blocked senders setting

Government-backed attack warning

With this alert, administrators receive warnings about potential government-backed attacks. For example, in rare instances, government-backed attackers may try to steal a user's password within your organization.

To further improve the security in your organization, we highly recommend that you enforce 2-step verification for the domain, and security keys for your users.

Suspicious login

Google considers login activity suspicious if there's a sign-in attempt that doesn't match a user's normal behavior, such as a sign-in from an unusual location, or if an unauthorized person may have attempted to access a user's account. 

In most cases, before we send you an alert, we'll show the user a login challenge. If the user fails or abandons the challenge, we'll send you a suspicious login alert.

We recommend suspending this user until you've gone through these security steps. You can suspend the user from their settings page, or by using the investigation tool.

You can restore the user and reset their password once you've determined it's safe to do so. We recommend having the user go through the Gmail security checklist. Enabling 2-step verification for the domain and enforcing security keys for your users is strongly recommended.

Suspicious login from a less secure app

To help keep Google Accounts (through work, school, or other groups) more secure, Google blocks less secure apps from using the accounts. However, if the Allow less secure apps setting has been overridden, logins through less-secure apps are still permitted. 

We recommend suspending this user until you've gone through these security steps. You can suspend the user from their settings page, or by using the investigation tool.

You can restore the user and reset their password once you've determined it's safe to do so. We recommend having the user go through the Gmail security checklist. Enabling 2-step verification for the domain and enforcing security keys for your users is strongly recommended.

User suspended

When Google detects suspicious activity that suggests an account has been compromised, we proactively suspend the affected user's account. 

As a G Suite administrator, you can also suspend users from their settings page, or by using the investigation tool

You can restore the user and reset their password once you've determined it's safe to do so. Before restoring a user, we recommend that you follow these security steps. 

We also recommend having the user go through the Gmail security checklist. Enabling 2-step verification for the domain and enforcing security keys for your users is strongly recommended.

Leaked password

When Google detects compromised credentials, we require a reset of the user's password before the user can sign in again.

Common causes of password theft are viruses, user responses to phishing emails, or the use of the same password on many different websites, of which one or more have been compromised by attackers. 

We recommend resetting the user's password, and checking to see if their account has been compromised. We also recommend having the user go through the Gmail security checklist

User suspended due to suspicious activity

This alert is a generic alert that lets you know that a user has been suspended due to suspicious activity. You can follow up with the user or contact Google support to get more information.

User suspended for spamming

When Google detects suspicious activity that suggests an account compromise, such as evidence that a user is sending spam, we proactively suspend the affected user's account.

We recommend going through these security steps before reenabling the affected user.

You can restore the user and reset their password once you've determined it's safe to do so. We recommend having the user go through the Gmail security checklist. Enabling 2-step verification for the domain and enforcing security keys for your users is strongly recommended.

User suspended for spamming through relay

When Google detects suspicious activity that suggests an account compromise, such as evidence that a user is sending spam through the SMTP relay service, we proactively suspend the affected user's account.

You can restore the account once you have resolved the issue with relay spam. During the suspension period, the user won't be able to sign in to Google services, or send email via this account, but we will continue to deliver incoming email as normal.

Domain data export initiated

The Domain data export initiated alert provides details about a super administrator for your Google account who has started exporting data from your domain.

Data export typically takes 72 hours or more, depending on the size of your domain. You can see the status of the export in the Data Export tool. For more information about the Data Export tool, see Export your organization’s data.

From the Alert details page, you can view important details about this alert—including an alert summary, the date and time of the alert, and the actor (the user who initiated the data export).

Related articles

Was this article helpful?
How can we improve it?