Service abuse: Google Firebase sender address with suspicious content

calendar Mar 12, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects messages from Firebase hosted domains that contain suspicious indicators such as emojis, spam keywords, unusual link patterns, or freemail registrant information.

Sublime rule (View on GitHub)

 1name: "Service abuse: Google Firebase sender address with suspicious content"
 2description: "Detects messages from Firebase hosted domains that contain suspicious indicators such as emojis, spam keywords, unusual link patterns, or freemail registrant information."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "firebaseapp.com"
 8  and length(body.links) != 0
 9  and 1 of (
10    // has an emoji in the subject or body
11    regex.contains(body.plain.raw,
12                   '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
13    ),
14    regex.contains(subject.subject,
15                   '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
16    ),
17    // spammy keywords
18    strings.ilike(body.current_thread.text,
19                  "*congrat*",
20                  "*win*",
21                  "*expired*",
22                  "*subscription*",
23                  "*won*",
24                  "*gift*",
25                  "*CARTE CADEAU*",
26                  "*Votre chance*",
27                  "*survey*",
28                  "*livraison*",
29                  "*delivery*",
30                  "*package*",
31                  "*claim*",
32                  "*rewards*"
33    ),
34    // entire body is an image with a link
35    length(body.current_thread.text) == 0
36    and length(body.links) == 1,
37    // HTML body starts with a link
38    strings.istarts_with(body.html.raw, '<a href='),
39    // known spammy HTML elements
40    any(html.xpath(body.html, '//*/@class').nodes,
41        strings.icontains(.raw, 'eb-drag-and-drop-builder')
42    ),
43    // multiple links that are identical
44    length(body.links) > 1
45    and length(distinct(body.links, .href_url.url)) == 1,
46    // body link whois email is a freemail
47    any(body.links,
48        strings.parse_email(network.whois(.href_url.domain).registrant_email).domain.root_domain in $free_email_providers
49        or strings.parse_email(network.whois(.href_url.domain).administrative_email
50        ).domain.root_domain in $free_email_providers
51        or strings.parse_email(network.whois(.href_url.domain).technical_email).domain.root_domain in $free_email_providers
52    ),
53    // freemail reply-to
54    any(headers.reply_to, .email.domain.root_domain in $free_email_providers),
55    // link with display text, but no tracking info (unusual for legitimate marketing)
56    any(body.links, .display_text is not null and .href_url.path is null)
57  )  
58tags:
59 - "Attack surface reduction"
60attack_types:
61  - "Spam"
62  - "Credential Phishing"
63tactics_and_techniques:
64  - "Free subdomain host"
65  - "Social engineering"
66detection_methods:
67  - "Content analysis"
68  - "Header analysis"
69  - "HTML analysis"
70  - "Natural Language Understanding"
71  - "Sender analysis"
72  - "URL analysis"
73  - "Whois"
74id: "9f8899a9-264c-5d8d-b340-7114695bafb2"

Related rules

to-top