Link to Google Apps Script macro (unsolicited)

calendar Jan 12, 2026  ยท
Share on: linkedin copy

Message contains a Google Apps Script macro link. App Scripts can run arbitrary code, including redirecting the user to a malicious web page.

Sublime rule (View on GitHub)

 1name: "Link to Google Apps Script macro (unsolicited)"
 2description: |
 3  Message contains a Google Apps Script macro link. App Scripts can run 
 4  arbitrary code, including redirecting the user to a malicious web page.  
 5references:
 6  - "https://twitter.com/bunnymaid/status/1415478829162762240"
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  and any(body.links,
12          .href_url.domain.domain == "script.google.com"
13          and strings.ilike(.href_url.path, "/macros*")
14  )
15  and (
16    profile.by_sender().prevalence in ("new", "outlier")
17    or (
18      profile.by_sender().any_messages_malicious_or_spam
19      and not profile.by_sender().any_messages_benign
20    )
21  )  
22attack_types:
23  - "Credential Phishing"
24  - "Malware/Ransomware"
25tactics_and_techniques:
26  - "Open redirect"
27  - "Social engineering"
28detection_methods:
29  - "Sender analysis"
30  - "URL analysis"
31id: "d10146df-547f-5a89-8690-477283e3b1f7"
to-top