Service abuse: Random Google Firebase sender address with suspicious content

calendar Nov 26, 2025 · Attack surface reduction  ·
Share on: linkedin copy

Detects messages from Firebase hosting domains with randomly generated subdomains that contain suspicious indicators such as emojis, spam keywords, unusual link patterns, or freemail registrant information.

Sublime rule (View on GitHub)

 1name: "Service abuse: Random Google Firebase sender address with suspicious content"
 2description: "Detects messages from Firebase hosting domains with randomly generated subdomains that contain suspicious indicators such as emojis, spam keywords, unusual link patterns, or freemail registrant information."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "firebaseapp.com"
 8  // random Firebase sender domain
 9  and regex.imatch(sender.email.domain.domain,
10                  '^[a-z0-9]*-[a-z0-9]{5}.firebaseapp\.com'
11  )
12  and length(body.links) != 0
13  and 1 of (
14    // has an emoji in the subject or body
15    regex.contains(body.plain.raw,
16                  '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
17    ),
18    regex.contains(subject.subject,
19                  '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
20    ),
21    // spammy keywords
22    strings.ilike(body.current_thread.text,
23                  "*congrat*",
24                  "*win*",
25                  "*expired*",
26                  "*subscription*",
27                  "*won*",
28                  "*gift*",
29                  "*CARTE CADEAU*",
30                  "*Votre chance*",
31                  "*survey*",
32                  "*livraison*",
33                  "*delivery*",
34                  "*package*",
35                  "*claim*",
36                  "*rewards*"
37    ),
38    // entire body is an image with a link
39    length(body.current_thread.text) == 0
40    and length(body.links) == 1,
41    // HTML body starts with a link
42    strings.istarts_with(body.html.raw, '<a href='),
43    // known spammy HTML elements
44    any(html.xpath(body.html, '//*/@class').nodes,
45        strings.icontains(.raw, 'eb-drag-and-drop-builder')
46    ),
47    // multiple links that are identical
48    length(body.links) > 1
49    and length(distinct(body.links, .href_url.url)) == 1,
50    // body link whois email is a freemail
51    any(body.links,
52        strings.parse_email(network.whois(.href_url.domain).registrant_email).domain.root_domain in $free_email_providers
53        or strings.parse_email(network.whois(.href_url.domain).administrative_email
54        ).domain.root_domain in $free_email_providers
55        or strings.parse_email(network.whois(.href_url.domain).technical_email).domain.root_domain in $free_email_providers
56    ),
57    // freemail reply-to
58    any(headers.reply_to, .email.domain.root_domain in $free_email_providers),
59    // link with display text, but no tracking info (unusual for legitimate marketing)
60    any(body.links, .display_text is not null and .href_url.path is null)
61  )  
62tags:
63 - "Attack surface reduction"
64attack_types:
65  - "Spam"
66  - "Credential Phishing"
67tactics_and_techniques:
68  - "Free subdomain host"
69  - "Social engineering"
70detection_methods:
71  - "Content analysis"
72  - "Header analysis"
73  - "HTML analysis"
74  - "Natural Language Understanding"
75  - "Sender analysis"
76  - "URL analysis"
77  - "Whois"
78id: "9f8899a9-264c-5d8d-b340-7114695bafb2"

Related rules

to-top