For users of Google Workspace, MiSecure is providing this playbook to walk through receiving a report of a malicious email, confirming the report, communicating with other affected organizations, removing the malicious email from users’ mailbox if they haven’t deleted themselves.
Steps are included to determine and reverse any changes made to your user’s Google account rules, delegate access, resetting sign-in cookies, revoking connected applications and devices, reviewing logs and finally releasing the user’s account for use again.
The guide is available here – Google Workspace Malicious Email Playbook