This detection rule identifies instances in which a user downloads or saves attachments from emails labeled as spam within the G Suite environment, particularly through Gmail. The rule is activated when an event is logged indicating that an attachment classified as spam has been downloaded or saved. It contains specific criteria triggering an alert based on the severity of the issue, which is categorized as 'High'. The rule uses logs from G Suite's Activity Event to monitor this activity, ensuring that any downloads of spam attachments are appropriately flagged for further analysis and potential investigation. The rule applies predictive thresholds designed to minimize false positives, and leverages the MITRE ATT&CK framework to map its detection capabilities, particularly relating to 'Phishing' and 'Malicious Email' scenarios. The experimental implementation allows for ongoing adjustments based on test results and real-world observations to maintain accuracy and effectiveness.