This rule is designed to detect phishing attempts where messages impersonate Google Workspace alert notifications. The detection focuses on emails that mimic Google's branding and terminology, including references to the Google admin console. The rule checks for messages that come from non-Google domains while employing common elements such as background patterns, alert call-to-action phrases, and message structures associated with legitimate notifications. Specific conditions are set to filter out legitimate messages from Google and certain third-party services (like Atlassian), as well as exclude typical Google services' notifications like voice calls. The messages are analyzed for suspicious links, sender addresses, and content typical of malicious communication aimed at deceiving recipients into revealing sensitive information or credentials. It seeks to catch sophisticated phishing attacks that cleverly model themselves after official communications, making them a significant threat to users of Google Workspace.