Link: Google Cloud Storage impersonating with googledrive in URL path

calendar May 26, 2026  ·
Share on: linkedin copy

Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) with paths ending in 'googledrive.html', indicating abuse of Google's cloud storage service to impersonate Google Drive and potentially deliver malicious content.

Sublime rule (View on GitHub)

 1name: "Link: Google Cloud Storage impersonating with googledrive in URL path"
 2description: "Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) with paths ending in 'googledrive.html', indicating abuse of Google's cloud storage service to impersonate Google Drive and potentially deliver malicious content."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          // use of storage.googleapis.com
 9          .href_url.domain.domain == "storage.googleapis.com"
10          // with an actor controlled path that impersonates Google Drive
11          and strings.iends_with(.href_url.path, 'googledrive.html')
12  )  
13attack_types:
14  - "Credential Phishing"
15tactics_and_techniques:
16  - "Impersonation: Brand"
17  - "Free file host"
18detection_methods:
19  - "URL analysis"
20id: "fc41a43e-6eb7-5478-a19f-e7d2bac8ed8d"
to-top