This detection rule targets scenarios involving the copying of Google Drive files such as spreadsheets and documents from external drives into a user's Google Workspace (GWS) account. The detection utilizes sequence logic to identify when a user grants permission to a custom Google application via OAuth right after copying an external drive object. Adversaries may exploit this behavior by using phishing tactics to lure users into copying malicious Drive objects, which could execute harmful scripts upon permission acceptance. The rule aims to spot these potentially malicious activities by monitoring specific events, notably the copying of Drive files and the subsequent authorization of OAuth tokens. Investigators are prompted to follow detailed analysis steps to confirm whether the actions were benign or malicious, leveraging various file and Google Workspace event attributes.