Link: Google Cloud Storage redirect to external domain
Messages contain links hosted on storage.googleapis.com that, when followed, redirect to a destination outside of googleapis.com. This technique abuses Google Cloud Storage's trusted reputation to bypass link reputation checks, with the actual payload hosted on an unrelated external domain. Observed lures include parcel delivery notifications impersonating shipping carriers (UPS, GLS), gambling bonus offers, health product promotions, and storage quota warnings.
Sublime rule (View on GitHub)
1name: "Link: Google Cloud Storage redirect to external domain"
2description: "Messages contain links hosted on storage.googleapis.com that, when followed, redirect to a destination outside of googleapis.com. This technique abuses Google Cloud Storage's trusted reputation to bypass link reputation checks, with the actual payload hosted on an unrelated external domain. Observed lures include parcel delivery notifications impersonating shipping carriers (UPS, GLS), gambling bonus offers, health product promotions, and storage quota warnings."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(body.links,
8 .href_url.domain.domain == "storage.googleapis.com"
9 and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain != "googleapis.com"
10 )
11tags:
12 - "Attack surface reduction"
13attack_types:
14 - "Credential Phishing"
15 - "Spam"
16 - "Malware/Ransomware"
17tactics_and_techniques:
18 - "Free file host"
19 - "Open redirect"
20 - "Impersonation: Brand"
21 - "Social engineering"
22 - "Evasion"
23detection_methods:
24 - "URL analysis"
25 - "Threat intelligence"
26id: "c687f8bc-0e07-5c22-93d7-7dcf2d7986e8"