This rule is designed to detect instances where an email sent to a user has bypassed the organization's spam filters within Google Workspace (GSuite). The implementation focuses on identifying delivery events for emails originating from suspicious domains, such as those known for phishing or spam activities. The rule triggers when an email is delivered with an associated parameter indicating it has likely circumvented spam filtering mechanisms. The rule is marked as 'Experimental' and operates under a medium severity classification, relying on logs categorized as GSuite Activity Events. It uses an expected threshold of one incident occurrence to generate alerts and includes deduplication parameters to manage event noise over 60 minute periods. The rule has been tested against different email scenarios to ensure accurate detection.