Open Redirect: Google domain with /url path and suspicious indicators

calendar Jan 12, 2026  ·
Share on: linkedin copy

This rule examines messages containing image attachments that utilize Google's open redirect (google[.]com/url...). To enhance accuracy and minimize false positives, the rule conducts additional assessments for suspicious indicators, as indicated in the comments.

Sublime rule (View on GitHub)

  1name: "Open Redirect: Google domain with /url path and suspicious indicators"
  2description: |
  3  This rule examines messages containing image attachments that utilize Google's open redirect (google[.]com/url...). 
  4  To enhance accuracy and minimize false positives, the rule conducts additional assessments for suspicious indicators, as indicated in the comments.  
  5type: "rule"
  6severity: "medium"
  7source: |
  8  type.inbound
  9  // All attachments are images or 0 attachments
 10  and (
 11    (
 12      length(attachments) > 0
 13      and all(attachments, .file_type in $file_types_images)
 14    )
 15    or length(attachments) == 0
 16  )
 17  and sender.email.domain.root_domain not in $org_domains
 18  // negate auth'ed google messages
 19  and not (
 20    sender.email.domain.sld == "google"
 21    and sender.email.local_part in ("googlealerts-noreply", "comments-noreply")
 22    and headers.auth_summary.spf.pass
 23    and headers.auth_summary.dmarc.pass
 24  )
 25  // not a reply
 26  and (
 27    length(headers.references) == 0
 28    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
 29  )
 30  // With a Google Redirect
 31  and any(body.links,
 32          (
 33            .href_url.domain.sld == "google"
 34            and .href_url.path == "/url"
 35            and regex.contains(.href_url.query_params, "hl=.{2}&q=http(s)?://")
 36          )
 37          or any(.href_url.rewrite.encoders, . == 'google_open_redirect')
 38  )
 39  and 2 of (
 40    // Not a google logo
 41    any(attachments,
 42        .file_type in $file_types_images
 43        and (
 44          any(ml.logo_detect(.).brands, not strings.starts_with(.name, "Google"))
 45          or any(ml.logo_detect(file.message_screenshot()).brands,
 46                 not strings.starts_with(.name, "Google")
 47          )
 48        )
 49    ),
 50    // Body analysis - NLU - Credential theft
 51    (
 52      any(ml.nlu_classifier(body.current_thread.text).intents,
 53          .name == "cred_theft" and .confidence in~ ("medium", "high")
 54      )
 55    ),
 56    // Image analysis - NLU - Credential theft language
 57    (
 58      any(attachments,
 59          .file_type in $file_types_images
 60          and any(file.explode(.),
 61                  any(ml.nlu_classifier(.scan.ocr.raw).intents,
 62                      .name == "cred_theft"
 63                  )
 64          )
 65      )
 66    ),
 67    // Content analysis - Body - Urgency
 68    (
 69      any(ml.nlu_classifier(body.current_thread.text).entities,
 70          .name == "urgency"
 71      )
 72    ),
 73  
 74    // White font is found in html raw
 75    (
 76      length(body.html.display_text) < 500
 77      and regex.icontains(body.html.raw,
 78                          '<div style="color: #fff(fff)?.[^<]+<\/div><\/div><\/body><\/html>$'
 79      )
 80    )
 81  
 82    // domains using .app matching this pattern observed abusing google's redirect
 83    or regex.icontains(sender.email.domain.domain,
 84                       '[a-z]{3,}\.\d{5,}[^\.]+\.app$'
 85    )
 86  )  
 87attack_types:
 88  - "Credential Phishing"
 89tactics_and_techniques:
 90  - "Evasion"
 91  - "Open redirect"
 92detection_methods:
 93  - "Computer Vision"
 94  - "Content analysis"
 95  - "File analysis"
 96  - "Header analysis"
 97  - "Natural Language Understanding"
 98  - "Optical Character Recognition"
 99  - "Sender analysis"
100  - "URL analysis"
101  
102id: "fc5adf74-6a39-5285-9737-3539a0542313"
to-top