This threat detection rule identifies suspicious activities related to unauthorized access of encryption key files stored in Google Workspace Drive by external (anonymous) users. It aims to protect sensitive information by monitoring for activities such as viewing, copying, or downloading files that contain encryption keys, which could be exploited by adversaries through rogue access links that lack expiration settings. The detection is achieved through a query that filters file events based on visibility settings, user email attributes, and specific file extensions associated with encryption keys. A risk score of 73 indicates a high level of concern regarding the potential misuse of these credentials, underscoring the need for robust monitoring and immediate remediation in case such access is detected. False positive scenarios are outlined for better accuracy, including scenarios involving legitimate shared access by known collaborators or automated systems. The rule's integration with Google Workspace tools underscores its operational readiness, while a clear response strategy is provided to mitigate unauthorized access effects, ensuring sensitive data remains secure within organizational controls.