This detection rule identifies potential government-backed cyberattacks targeting GSuite user accounts. It is triggered when GSuite security systems detect specific login events that are flagged as associated with government-backed threats. The rule focuses on login events characterized by the presence of warning indicators which delineate them from regular login events. This differentiation enables the detection of suspicious activities that may be the precursor to broader cyber intrusion efforts. The expected behavior during a normal login to the GSuite environment includes regular success logs without any warnings. Conversely, a proper detection would result in an alert if the login event includes a mention of a government-backed attack. Organizations are encouraged to implement this rule to maintain heightened security vigilance over user activities, particularly for accounts that may be sensitive to such high-priority threats. It is also essential for the organizations to engage with GSuite support to follow up on details regarding such alerts, ensuring that they can respond in a timely and effective manner.