Detects impossible travel for Google Workspace sign-ins by comparing two successful logins for the same user from geographically distant locations within a 90-minute window. The rule requires a minimum geographic separation of 500 km and an implied travel speed of at least 800 km/h, which is faster than most commercial flights and unlikely for a single individual to achieve. It leverages Google Workspace login events to compute two measurements: (1) a bbox-based distance across region centroids (the primary trigger), and (2) the honest distance between the actual first and last sign-in events (triage signal). If the bbox distance and speed meet the thresholds, the alert fires, indicating either VPN/proxy egress mismatch or a compromised account accessed from a different location. The detection aggregates by user and region, limits to 2–5 regions to reduce noise, and surfaces contextual fields such as origin countries/regions/cities, ASN/org, and IPs to support investigation. It maps to MITRE techniques related to Initial Access and Credential Access (T1078 and subtechniques T1078.004 Cloud Accounts; T1528 Steal Application Access Token; T1557 Adversary-in-the-Middle). The rule includes alert suppression by user and provides investigation fields (e.g., user.email) for triage. A well-rounded triage workflow is described, including token revocation, device checks, and cross-referencing related Google Workspace and GCP logs to identify AiTM or token abuse patterns. Given its nature, the rule is high-impact for cloud identity protection but may produce false positives for users behind distant VPNs, regional cellular hops, or mis-resolved geolocation. The rule’s design emphasizes rapid containment and contextual investigation guidance rather than automated remediation.