This rule identifies instances where an Amazon SNS (Simple Notification Service) topic has been subscribed to by an unusual user (especially via email), signaling potential malicious activity. By monitoring for subscriptions initiated by those who typically do not engage in this type of task, organizations can detect early signs of data exfiltration, particularly when external email addresses are involved. The rule uses AWS CloudTrail logs to track subscription events, focusing specifically on actions linked to SNS that have email as a communication protocol. Key investigation steps involve verifying the legitimacy of the subscribing user, examining the SNS topic being subscribed to, and ensuring that the email endpoint used is authorized. If the subscription is confirmed unauthorized, immediate remediation actions, such as cancellation of the subscription and policy review, are advised.