Link: Google Cloud Storage with short-path link delivery

Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) where the URL path ends in 'ls' or 'lis', matching a pattern used to host redirector or landing pages. Observed across multilingual spam and unsolicited promotional messages — including fake parcel delivery notifications impersonating FedEx and T&T, as well as product advertisement lures — sent from a variety of compromised or unrelated sender domains. The consistent use of this specific GCS path pattern suggests a shared delivery infrastructure across multiple senders.

Sublime rule (View on GitHub)

 1name: "Link: Google Cloud Storage with short-path link delivery"
 2description: "Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) where the URL path ends in 'ls' or 'lis', matching a pattern used to host redirector or landing pages. Observed across multilingual spam and unsolicited promotional messages — including fake parcel delivery notifications impersonating FedEx and T&T, as well as product advertisement lures — sent from a variety of compromised or unrelated sender domains. The consistent use of this specific GCS path pattern suggests a shared delivery infrastructure across multiple senders."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.domain.domain == "storage.googleapis.com"
 9          // path ends with lis or ls
10          and regex.icontains(.href_url.path, '^/[^\/]+/li?s$')
11  )  
12attack_types:
13  - "Spam"
14  - "Credential Phishing"
15tactics_and_techniques:
16  - "Free file host"
17  - "Evasion"
18  - "Social engineering"
19  - "Impersonation: Brand"
20detection_methods:
21  - "URL analysis"
22  - "Content analysis"
23id: "88a473bb-b8a1-59b7-ac54-24ec84424ac2"
to-top