Link: Google Firebase dynamic link that redirects to new domain (<7 days old)

calendar Jan 12, 2026  ·
Share on: linkedin copy

An attacker may use Google's Firebase Dynamic Links to redirect a user to a malicious site. This rule identifies Firebase Dynamic Links where the destination domain is less than a week old.

Sublime rule (View on GitHub)

 1name: "Link: Google Firebase dynamic link that redirects to new domain (<7 days old)"
 2description: |
 3  An attacker may use Google's Firebase Dynamic Links to redirect a user to a malicious site. 
 4  This rule identifies Firebase Dynamic Links where the destination domain is less than a week old.  
 5type: "rule"
 6authors:
 7  - twitter: "ajpc500"
 8severity: "low"
 9source: |
10  type.inbound
11  and any(body.links,
12          .href_url.domain.root_domain =~ "goo.gl"
13          and strings.icontains(.href_url.domain.domain, "app")
14          and any(ml.link_analysis(.).redirect_history,
15                  network.whois(.domain).days_old < 7
16          )
17  )  
18attack_types:
19  - "Credential Phishing"
20  - "Malware/Ransomware"
21tactics_and_techniques:
22  - "Evasion"
23detection_methods:
24  - "URL analysis"
25  - "Whois"
26id: "5a204a37-3120-53c1-a55a-5f4f09c61dc4"
to-top