Link to Google Apps Script macro via comment tagging

Jan 12, 2026 ·

Message contains a Google Apps Script macro link invoked from a comment on Google Slides|Docs. App Scripts can run arbitrary code, including redirecting the user to a malicious web page.

Sublime rule (View on GitHub)

 1name: "Link to Google Apps Script macro via comment tagging"
 2description: |
 3  Message contains a Google Apps Script macro link invoked from a comment on Google Slides|Docs.
 4  App Scripts can run arbitrary code, including redirecting the user to a malicious web page.  
 5references:
 6  - "https://twitter.com/bunnymaid/status/1415478829162762240"
 7  - "https://playground.sublimesecurity.com?id=de1a2916-3812-4caa-a443-d1986487d772"
 8type: "rule"
 9severity: "medium"
10source: |
11  type.inbound
12  and regex.contains(sender.display_name, '\(Google (Slides|Docs)')
13  and any(body.links,
14          .href_url.domain.domain == "script.google.com"
15          and strings.ilike(.href_url.path, "/macros*")
16  )
17  and 1 of (
18    strings.ilike(body.plain.raw, '*you have ? hours*'),
19    strings.ilike(body.plain.raw, '*transfer of funds*'),
20    strings.ilike(body.plain.raw, '*order your funds*')
21    // Or the Sender Display Name is not in your Org Display Names
22    or not any($org_display_names,
23               strings.istarts_with(sender.display_name,
24                                    strings.concat(., " (Google ")
25               )
26    )
27  )  
28attack_types:
29  - "Credential Phishing"
30  - "Malware/Ransomware"
31tactics_and_techniques:
32  - "Social engineering"
33detection_methods:
34  - "Content analysis"
35  - "Sender analysis"
36  - "URL analysis"
37id: "66fecd30-4628-5e53-b3cb-5355a6741487"