The rule GSuit.Workspace.GmailDefaultRoutingRuleModified detects modifications to Gmail Default Routing Rules by a Workspace Admin, which can have significant implications for email handling within an organization. Such modifications may indicate a change in email delivery mechanisms that could be benign or a potential risk depending on the actor's intent. The detection is triggered through specific GSuite Activity Event logs that capture actions such as the creation or deletion of these routing rules. The rule includes specific tests for these actions and emphasizes the need for further inspection if unauthorized changes are detected. The relevant MITRE ATT&CK technique is T1098, which refers to account manipulation that could enable unauthorized access or capabilities.