The GSuite External Mail Forwarding detection rule alerts when a user has set up mail forwarding to an external email address. This configuration allows the forwarding of emails from a GSuite user account to an outside domain, which can pose security risks such as unauthorized data exfiltration or information leakage. The rule is designed to track changes to email forwarding settings and generates alerts when these settings are altered to include external domain addresses. The detection is enabled by monitoring GSuite activity events, particularly focusing on changes in email forwarding configurations. When a user sets up forwarding to an external address, it triggers a high-severity alert, and the rule outlines specific tests to validate such configurations, particularly when the email address does not belong to an allowed domain. In cases where the forwarding is detected, a set protocol is recommended, such as investigating the reason for this configuration and determining if it aligns with organizational policy. The provided tests simulate various forwarding scenarios to ensure responsiveness and accuracy of the detection rule.