diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml b/rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_application_access_levels_modified.yml
similarity index 100%
rename from rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml
rename to rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_application_access_levels_modified.yml
diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml b/rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_application_removed.yml
similarity index 100%
rename from rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml
rename to rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_application_removed.yml
diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml b/rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_granted_domain_api_access.yml
similarity index 100%
rename from rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml
rename to rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_granted_domain_api_access.yml
diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml b/rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_mfa_disabled.yml
similarity index 100%
rename from rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml
rename to rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_mfa_disabled.yml
diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml b/rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_role_modified_or_deleted.yml
similarity index 100%
rename from rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml
rename to rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_role_modified_or_deleted.yml
diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml b/rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_role_privilege_deleted.yml
similarity index 100%
rename from rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml
rename to rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_role_privilege_deleted.yml
diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_user_granted_admin_privileges.yml
similarity index 100%
rename from rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml
rename to rules/cloud/gcp/gworkspace/admin/gcp_gworkspace_user_granted_admin_privileges.yml
diff --git a/rules/cloud/gcp/gworkspace/login/gcp_gworkspace_govattack.yml b/rules/cloud/gcp/gworkspace/login/gcp_gworkspace_govattack.yml
new file mode 100644
index 000000000..814eb03db
--- /dev/null
+++ b/rules/cloud/gcp/gworkspace/login/gcp_gworkspace_govattack.yml
@@ -0,0 +1,28 @@
+title: Google Workspace Government Attack Warning
+id: eafe6f2b-cfec-4612-aec2-49563c33a087
+status: experimental
+description: Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor
+references:
+    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
+    - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
+    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#gov_attack_warning
+author: Tom Kluter
+date: 2026-04-28
+tags:
+    - attack.privilege-escalation
+    - attack.defense-evasion
+    - attack.persistence
+    - attack.initial-access
+    - attack.impact
+    - attack.t1078
+logsource:
+    product: gcp
+    service: google_workspace.login
+detection:
+    selection:
+        protoPayload.serviceName: 'login.googleapis.com'
+        protoPayload.metadata.event.eventName: 'gov_attack_warning'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules/cloud/gcp/gworkspace/login/gcp_gworkspace_out_of_domain_email_forwarding.yml b/rules/cloud/gcp/gworkspace/login/gcp_gworkspace_out_of_domain_email_forwarding.yml
new file mode 100644
index 000000000..2e9afa4a0
--- /dev/null
+++ b/rules/cloud/gcp/gworkspace/login/gcp_gworkspace_out_of_domain_email_forwarding.yml
@@ -0,0 +1,22 @@
+title: Google Workspace Out Of Domain Email Forwarding
+id: 2a0bb2dd-eb5f-4517-8cb9-404f8ba764a5
+status: experimental
+description: Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse.
+references:
+    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#email_forwarding_out_of_domain
+author: Tom kluter
+date: 2026-04-28
+tags:
+    - attack.t1114.003
+    - attack.collection
+logsource:
+    product: gcp
+    service: google_workspace.login
+detection:
+    selection:
+        protoPayload.serviceName: 'login.googleapis.com'
+        protoPayload.metadata.event.eventName: 'email_forwarding_out_of_domain'
+    condition: selection
+falsepositives:
+    - Legitimate forwarding
+level: medium
diff --git a/rules/cloud/gcp/gworkspace/login/gcp_gworkspace_suspicious_login.yml b/rules/cloud/gcp/gworkspace/login/gcp_gworkspace_suspicious_login.yml
new file mode 100644
index 000000000..9aeec57ea
--- /dev/null
+++ b/rules/cloud/gcp/gworkspace/login/gcp_gworkspace_suspicious_login.yml
@@ -0,0 +1,32 @@
+title: Suspicious Login Activity Classified By Google
+id: 38360161-76c4-4283-842e-efcf997dafc8
+status: experimental
+description: Detects Google Workspace login activity that's classified as suspicious by Google.
+references:
+    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
+    - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
+    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login
+    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login_less_secure_app
+    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_programmatic_login
+author: Tom Kluter
+date: 2026-04-28
+tags:
+    - attack.initial-access
+    - attack.privilege-escalation
+    - attack.defense-evasion
+    - attack.persistence
+    - attack.t1078.004
+logsource:
+    product: gcp
+    service: google_workspace.login
+detection:
+    selection:
+        protoPayload.Servicename: 'login.googleapis.com'
+        protoPayload.metadata.event.eventName:
+            - 'suspicious_login_less_secure_app'
+            - 'suspicious_login'
+            - 'suspicious_programmatic_login'
+    condition: selection
+falsepositives:
+    - Legitimate logins
+level: medium
diff --git a/tests/logsource.json b/tests/logsource.json
index 689c35ac7..9e1e9252b 100644
--- a/tests/logsource.json
+++ b/tests/logsource.json
@@ -339,7 +339,8 @@
             "category":{},
             "service":{
                 "gcp.audit":[],
-                "google_workspace.admin":[]
+                "google_workspace.admin":[],
+                "google_workspace.login":[]
             }
         },
         "github":{