The Gsuite Link Clicked in Spam Email detection rule monitors G Suite Activity Events to identify when a user clicks on links within emails categorized as spam. This is essential for preventing potential phishing attacks and ensuring user safety within the organization. The rule activates when the user interacts with a link from a received spam email, indicated by specific log entries detailing the event. The rule leverages a threshold of one click to trigger alerts, thereby enabling fast response to suspicious activity. It examines parameters in logs, such as the sender's domain, user activity, and the event type to ascertain if the link action corresponds to a spam email. The rule is marked as experimental but holds high severity due to its potential risks. It aligns with MITRE ATT&CK techniques, pinpointing tactics like Spear Phishing and User Execution which are relevant to this type of threat.