This rule detects a Google Workspace login event flagged by Google as a potential government-backed attack. It relies on Google Cloud Audit Logs (protoPayload) and matches on: protoPayload.serviceName equals login.googleapis.com and protoPayload.metadata.event.eventName equals gov_attack_warning. When triggered, it signals a possible credential abuse or initial-access attempt associated with state-sponsored actors. The rule maps to ATT&CK T1078 (Valid Accounts) and spans multiple lifecycle tactics (initial-access, persistence, defense-evasion, privilege-escalation, and impact), reflecting propagation of risk from an anomalous login to broader compromise. The detection is marked experimental with medium severity and a placeholder for false positives set to Unknown. Operational context suggests correlating this signal with additional telemetry (e.g., unusual geolocation or impossible travel, device anomalies, MFA status, and sign-in risk) to increase confidence. Since the data originates from cloud service logs, this rule complements cloud IAM and federal/identity monitoring strategies and should be integrated with broader cloud security analytics for corroborating evidence before triggering containment actions. Potential actions upon a positive signal include auditing the affected Google Workspace accounts, reviewing recent admin activity, enforcing multi-factor authentication, and investigating any correlated indicators across cloud and identity platforms. Limitations to consider include dependence on Google’s internal risk scoring for gov_attack_warning and variability in emission across environments, necessitating additional corroboration to avoid misclassification.