This detection rule identifies potential data exfiltration activities from a G Suite environment by monitoring outbound emails that carry attachments sent from internal domains to external domains. The rule specifically looks for instances where emails originate from an internal domain, with the filtering condition that emails must have an attachment and must be sent to a domain other than the chosen internal domain. By determining the count of distinct source email addresses and filtering down to observations with fewer than 20 outbound email instances, this analytic seeks to highlight unusual behavior that could indicate an insider threat or a compromised account. This approach enables organizations to proactively investigate potential malicious activities that may lead to data breaches, thereby safeguarding sensitive information.