Detects when Google Workspace automatically forwards email to external domains, which can indicate data leakage, misuse, or misconfiguration. The rule watches cloud audit events from login.googleapis.com and triggers on the email_forwarding_out_of_domain event (protoPayload.serviceName: login.googleapis.com, protoPayload.metadata.event.eventName: email_forwarding_out_of_domain). This is relevant for cloud-based email/workflow environments where outbound forwarding could exfiltrate sensitive information. True positives include configured business workflows; false positives include legitimate or temporarily approved forwarding rules. To investigate, validate the user and rule intent in the Google Admin Console, review the forwarding policy, and check for newly created or modified forwarding addresses, as well as any recent account compromises. Remediate by adjusting or removing unauthorized forwarding rules, enforcing least privilege, enabling alerting on changes to forwarding settings, and correlating with anomalous sign-ins or device activity. Consider collecting additional telemetry (IP, user agent, login time, geolocation) to determine risk. This rule helps prevent inadvertent or malicious data leakage via external email destinations in Google Workspace.