The detection rule identifies unusual authentication failures within Google Workspace by tracking a single source IP that attempts to log in with multiple valid user accounts. This behavior is indicative of a potential Password Spraying attack, where an attacker tries common passwords against many accounts in hopes of compromising at least one. The rule captures login failure events and computes the average and standard deviation of unique accounts attempted for each source IP, applying the 3-sigma rule to highlight any significant deviations. If an IP shows an unusually high number of unique accounts failing to authenticate, it triggers an alert. This unsanctioned access behavior is critical to detect as it may signify that an adversary is trying to gain entry into the system or escalate their privileges. Such incidents could lead to unauthorized access or a more significant data breach within the organization.