This detection rule aims to identify when a custom Gmail email route is created or modified in Google Workspace. Adversaries may exploit this functionality to reroute sensitive emails to unauthorized inboxes, hence capturing confidential information such as invoices or payment documents. The rule is built to track specific admin actions within Google Workspace that pertain to the creation or alteration of email settings, particularly when related to email routing. False positives may arise when administrators perform legitimate changes for organizational or security purposes. The rule runs a query every 10 minutes, scanning for events related to the modification of Gmail settings, and it integrates with Google Workspace log data using Filebeat. Furthermore, it provides a comprehensive investigation process to verify the legitimacy of any identified changes. In case of a potential security breach, response actions are recommended, including user account reviews, impact assessments, and remediation steps to prevent further incidents.