Link: Google Cloud Storage link with index.php in URL

Detects inbound messages containing links hosted on storage.googleapis.com that point to an index.php path, either in the URL path or fragment. Attackers abuse Google Cloud Storage to host malicious content, leveraging the trusted domain to bypass security filters.

Sublime rule (View on GitHub)

 1name: "Link: Google Cloud Storage link with index.php in URL"
 2description: "Detects inbound messages containing links hosted on storage.googleapis.com that point to an index.php path, either in the URL path or fragment. Attackers abuse Google Cloud Storage to host malicious content, leveraging the trusted domain to bypass security filters."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.domain.domain == "storage.googleapis.com"
 9          and (
10            strings.iends_with(.href_url.path, 'index.php')
11            or regex.icontains(.href_url.fragment, '^\/?index.php')
12          )
13  )  
14attack_types:
15  - "Credential Phishing"
16tactics_and_techniques:
17  - "Evasion"
18  - "Free file host"
19  - "Open redirect"
20detection_methods:
21  - "URL analysis"
22id: "d0ecb49a-6251-51b2-850e-b3503dd3d02f"
to-top