Suspicious Login Attempt notifications - having trouble finding a definitive answer

1231 views
Skip to first unread message

Brian D

unread,
Sep 23, 2016, 10:11:42 AM9/23/16
to Google Apps K12 Technical Forum
Do you happen to know what the triggers are for an email alert like this?  I know that one is a login from a new or unusual location.  We are mainly interested in knowing if this alert means that the account was successfully logged into or if this is just a suspicious login attempt.  I can't seem to get a good handle on this or to find a reputable source for an answer...just a lot of guessing.

Weird part - this alert was triggered for an account that is suspended in our admin console.  That's just weird to us and it leads us to believe that this is just a login attempt.  We confirmed that the last successful login to this account, as reported by the admin console stats for this user, was more than a year ago.

Thank you,
brian


Hi,

This is to inform you that Google has detected a suspicious login for #USER# in your domain #DOMAIN#, on Thursday, September 22, 2016 at 10:00:21 PM Central Daylight Time. The details are: 

User: #USER#
IP from which the login attempt was detected: 69.245.189.249
Location: #LOCATION# United States
Time: Thursday, September 22, 2016 at 10:00:21 PM Central Daylight Time
Service: Gmail
Domain from where the login was detected (rDNS): #NUMBERSANDSUCH#.comcast.net.

ACTIONS REQUIRED

Please follow these instructions:

http://support.google.com/a/bin/answer.py?hl=en&hlrm=en&answer=2984349 

Regards,
Google Apps team

Sue Ellingson

unread,
Sep 30, 2016, 5:32:40 PM9/30/16
to Google Apps K12 Technical Forum
Have you learned anything new about this?  I just received a like message for a former employee's account that has been suspended for quite a while now.  

Nic Finelli

unread,
Oct 19, 2016, 4:24:48 PM10/19/16
to Google Apps K12 Technical Forum
It is possible the user just skipped or ignored the login challenge since their login had been inactive or suspended or from a new location not typical.  See here - https://support.google.com/a/answer/6002699?hl=en

Sue Ellingson

unread,
Oct 19, 2016, 4:49:14 PM10/19/16
to Google Apps K12 Technical Forum
It's just odd - this user account has been disabled for well over a year.  There were no entries for a failed login for his account in the reports section of the admin console, so it does make you wonder.

gminkus

unread,
Oct 20, 2016, 5:10:48 PM10/20/16
to Google Apps K12 Technical Forum
I've been getting them, too. Just for 3 or 4 of my suspended accounts. But the same ones everyday.

Mike Chappell

unread,
Oct 23, 2016, 7:29:06 AM10/23/16
to Google Apps K12 Technical Forum
Funny, I was coming here to post this exact issue.  Same as everyone else, same three or four suspended accounts, alerts every day.  


On Friday, September 23, 2016 at 10:11:42 AM UTC-4, Brian D wrote:

Brian D

unread,
Oct 25, 2016, 8:14:36 AM10/25/16
to Google Apps K12 Technical Forum
Contacted Google Support about this.  Here's what we got:

  • Mauricio

  • Thank you. The alerts it is triggered if a suspicious log in was made or the account was accessed from a non familiar location or IP and unknown devices. For the attempts it will be triggered if the password was entered incorrectly several times and if the log in failed from a non familiar location or IP and unknown devices.

Sue Ellingson

unread,
Oct 25, 2016, 5:58:02 PM10/25/16
to Google Apps K12 Technical Forum
Generally, I'd say that makes sense.  But it doesn't explain why I see no failed login attempts in the management console reports.  You would think it would log it as a failed attempt. 

Shane Hannant

unread,
Oct 25, 2016, 8:26:15 PM10/25/16
to Sue Ellingson, Google Apps K12 Technical Forum
Hi,
As Brian, has stated above from Google support it would have been a successful login. I would also suggest contacting Google support.
One other thing to try is reset the cookies for the suspended users. Here is how to, https://support.google.com/a/answer/178854?hl=en
Thanks

Shane Hannant • IT Officer - Systems
p: 07 4132 7554  • w: www.stlukes.qld.edu.au
4 Mezger Street • Bundaberg Qld 4670


--
--
You received this message because you are subscribed to the Google
Groups "Google Apps K12 Technical Forum" group.
To post to this group, send email to k12ap...@googlegroups.com
To unsubscribe from this group, send email to
k12appstech+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/k12appstech?hl=en?hl=en

---
You received this message because you are subscribed to the Google Groups "Google Apps K12 Technical Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to k12appstech+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Sue Ellingson

unread,
Oct 26, 2016, 4:38:22 PM10/26/16
to Google Apps K12 Technical Forum, sue.el...@se-warren.k12.ia.us, shane-...@stlukes.qld.edu.au
Thanks for the info on resetting cookies.  I just did that to cover the bases.  But the reports don't show a successful login for that user either, which you'd expect since it's a suspended account.  I haven't received a notice for about a month now.  I'll contact support if it happens again.

Thanks,
Sue
Reply all
Reply to author
Forward
0 new messages