Link: Google Cloud Storage hosted credential harvesting page

Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) that follow a pattern of randomized bucket paths ending in a hashed directory and an index.html file. These links have been observed in messages impersonating professional networking and HR platform notifications, such as those mimicking recruiting outreach or job opportunity alerts from services like Sloneek and BambooHR, luring recipients to hosted credential harvesting pages.

Sublime rule (View on GitHub)

 1name: "Link: Google Cloud Storage hosted credential harvesting page"
 2description: "Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) that follow a pattern of randomized bucket paths ending in a hashed directory and an index.html file. These links have been observed in messages impersonating professional networking and HR platform notifications, such as those mimicking recruiting outreach or job opportunity alerts from services like Sloneek and BambooHR, luring recipients to hosted credential harvesting pages."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          (
 9            .href_url.domain.domain == "storage.googleapis.com"
10            and regex.icontains(.href_url.path,
11                                '^\/(?:[^-]+\-+)+[0-9a-f]{20}\/index\.html$'
12            )
13          )
14          // workstream endcodes the URLs with sendgrid, if we click them, we can see if they redirect to the same strcuture
15          or (
16            .href_url.domain.domain == "sendgridlinks.workstream.is"
17            and any(ml.link_analysis(., mode="aggressive").redirect_history,
18                    .domain.domain == "storage.googleapis.com"
19                    and regex.icontains(.path,
20                                        '^\/(?:[^-]+\-+)+[0-9a-f]{20}\/index\.html$'
21                    )
22            )
23          )
24  )  
25attack_types:
26  - "Credential Phishing"
27tactics_and_techniques:
28  - "Free file host"
29  - "Evasion"
30  - "Social engineering"
31  - "Impersonation: Brand"
32detection_methods:
33  - "URL analysis"
34  - "Content analysis"
35id: "254c0d2d-797d-537b-a3b0-51ece04154d6"
to-top