Investigate and take action on suspicious session cookies

    As a Google Workspace administrator, you can use email alerts to notify you if users are signed out due to suspicious session cookies. Cookie theft hijacking, or session hijacking, is stealing a user’s session ID using cookies generated when they sign in to their account. Whenever a suspicious session cookie is detected, the session is terminated, and the user is logged out of their account for that session and any related suspicious sessions on that device. 

    When the user attempts to re-sign in on the same device, they see a message prompting them to remove malware or unsafe software. The user must also provide an extra verification step when signing back into the account on the device.

    Using the security investigation tool (SIT) or the audit and investigation tool, you can identify attempts to hijack user accounts via session cookies in your organization.

    Step 1: Start your investigation

    Option 1: Investigate suspicious session cookies in SIT

    Supported editions for this feature: Frontline Standard and Frontline Plus ; Enterprise Standard and Enterprise Plus ; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition
    1. Sign in with an administrator account to the Google Admin console.

      If you aren’t using an administrator account, you can’t access the Admin console.

    2. Go to Menu  Security > Security center > Investigation tool .

      Requires having the Security center administrator privilege.

    3. From the Data sourcemenu, select User log events.
    4. From the Add Condition menu, select Event, and make sure the condition is set to Is(the default option).
    5. From the Eventmenu, select User signed out due to suspicious session cookie
    6. Click Search
      The search results are displayed at the bottom of the page.

    Option 2: Investigate suspicious session cookies in the audit and investigation page

    1. Sign in with an administrator account to the Google Admin console.

      If you aren’t using an administrator account, you can’t access the Admin console.

    2. Go to Menu  Reporting > Audit and investigation > User log events .

      Requires having the Audit & Investigation administrator privilege.

    3. Click Add a filter, and then select Event.
    4. In the pop-up window, make sure the operator in the top menu is set to Is(the default option), select User signed out due to suspicious session cookiefrom the lower menu and click Apply.
    5. Click Search
      The logs are displayed at the bottom of the page. 

    Step 2: Take action

    In the Descriptioncolumn, click Suspicious session cookieto open the Log detailspanel. Each log shows an affected user. Work with the affected users and complete the steps to Remove malware or unsafe software .

    Secure compromised accounts

    If you suspect that an account may be compromised or hijacked, as an administrator you can ensure that your users' accounts are secure. Work with affected users to Identify and secure compromised accounts .

    Was this helpful?

    How can we improve it?

    Need more help?

    Try these next steps:

    Post to the help community Get answers from community members
    Contact us Tell us more and we’ll help you get there
    true
    Start your free 14-day trial today

    Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today .

    Enable Dark Mode
    Search
    Clear search
    Close search
    Google apps
    Main menu
    12447059832271442121
    true
    Search Help Center
    false
    true
    true
    true
    true
    true
    73010
    false
    false
    false
    false
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: