This analytic leverages Google Workspace login failure events to detect potential password spraying attacks occurring from a single source IP address. It identifies instances where that IP fails to authenticate to more than 20 unique Google Workspace user accounts within a 5-minute window, representing a significant threshold for suspicious activity indicative of an adversary attempting unauthorized access or privilege escalation. Login failures can signal attempts to exploit user accounts with weak passwords or theft of credentials, making this detection crucial for preventing unauthorized access that may lead to data breaches or exploitation within the Google Cloud Platform (GCP). Administrators are advised to configure the detection parameters based on their environment to minimize false positives and enhance detection accuracy.