The detection rule 'Malware Detected in Email' aims to identify instances of malware found in emails received by users within a GSuite (Gmail) environment. This rule specifically targets various malware families, including known malicious programs, viruses, worms, harmful content, and unwanted content. When malware is detected, alerts are generated, and their severity is dynamically assigned based on the specific type of malware—malicious programs and viruses yield high-severity alerts while less harmful content generates lower severity levels. This rule is particularly important for initial access threats as it helps organizations mitigate risks associated with malware in email communications. A thorough runbook is provided, guiding security personnel through the investigation process, including reviewing the malware type, checking email quarantine status, user interaction with the email, and considering blocking the sender's domain if necessary. Furthermore, relevant references and detection tests are incorporated to enhance the efficacy of the rule. Overall, this detection content is a crucial part of an organization's strategy for protecting against email-based malware attacks, ensuring timely and appropriate responses to potential threats.