This detection rule is focused on identifying suspicious activities involving copying S3 objects from one AWS account's bucket to another external account's bucket. Such actions are often associated with data exfiltration or potential ransomware attacks, where an attacker may attempt to move sensitive data into their own controlled environments. The rule leverages AWS CloudTrail logs to monitor the 'CopyObject' API calls, specifically checking for operations that target buckets in different AWS accounts. The rule is currently in an experimental status but has a medium severity level due to the potential risks associated with unauthorized data transfers. The runbook provides a systematic approach to investigate alerts by analyzing user access patterns, legitimate cross-account interactions, and previous copy events, thereby establishing a clearer picture of the situation and confirming if the alert indicates malicious behavior.