Service Abuse: Google Account Notification with Links to Free File Host

calendar Apr 16, 2025  ยท
Share on: linkedin copy

Detects messages impersonating Google Accounts that contain links redirecting to known file hosting services

Sublime rule (View on GitHub)

 1name: "Service Abuse: Google Account Notification with Links to Free File Host"
 2description: "Detects messages impersonating Google Accounts that contain links redirecting to known file hosting services"
 3references:
 4 - "https://x.com/nicksdjohnson/status/1912439023982834120"
 5 - "https://easydmarc.com/blog/google-spoofed-via-dkim-replay-attack-a-technical-breakdown/"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and sender.email.email == "no-reply@accounts.google.com"
11  and any(body.links, .href_url.domain.domain in $free_file_hosts)  
12
13attack_types:
14  - "Credential Phishing"
15tactics_and_techniques:
16  - "Impersonation: Brand"
17  - "Social engineering"
18  - "Free file host"
19detection_methods:
20  - "Header analysis"
21  - "URL analysis"
22  - "Sender analysis"
23id: "59786115-b28c-599b-97fe-0831643c2a34"
to-top