Link: Google Cloud Storage with short-path link delivery
Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) where the URL path ends in 'ls' or 'lis', matching a pattern used to host redirector or landing pages. Observed across multilingual spam and unsolicited promotional messages — including fake parcel delivery notifications impersonating FedEx and T&T, as well as product advertisement lures — sent from a variety of compromised or unrelated sender domains. The consistent use of this specific GCS path pattern suggests a shared delivery infrastructure across multiple senders.
Sublime rule (View on GitHub)
1name: "Link: Google Cloud Storage with short-path link delivery"
2description: "Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) where the URL path ends in 'ls' or 'lis', matching a pattern used to host redirector or landing pages. Observed across multilingual spam and unsolicited promotional messages — including fake parcel delivery notifications impersonating FedEx and T&T, as well as product advertisement lures — sent from a variety of compromised or unrelated sender domains. The consistent use of this specific GCS path pattern suggests a shared delivery infrastructure across multiple senders."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(body.links,
8 .href_url.domain.domain == "storage.googleapis.com"
9 // path ends with lis or ls
10 and regex.icontains(.href_url.path, '^/[^\/]+/li?s$')
11 )
12attack_types:
13 - "Spam"
14 - "Credential Phishing"
15tactics_and_techniques:
16 - "Free file host"
17 - "Evasion"
18 - "Social engineering"
19 - "Impersonation: Brand"
20detection_methods:
21 - "URL analysis"
22 - "Content analysis"
23id: "88a473bb-b8a1-59b7-ac54-24ec84424ac2"