Link: Google Cloud Storage link with redirect.html in URL path

calendar Jun 26, 2026  ·
Share on: linkedin copy

Detects inbound messages containing links that route through a redirect.html page hosted on Google Cloud Storage (storage.googleapis.com). Attackers abuse legitimate cloud storage infrastructure to host redirect pages that forward victims to malicious destinations, evading URL reputation checks.

Sublime rule (View on GitHub)

 1name: "Link: Google Cloud Storage link with redirect.html in URL path"
 2description: "Detects inbound messages containing links that route through a redirect.html page hosted on Google Cloud Storage (storage.googleapis.com). Attackers abuse legitimate cloud storage infrastructure to host redirect pages that forward victims to malicious destinations, evading URL reputation checks."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          strings.iends_with(.href_url.path, 'redirect.html')
 9          and .href_url.domain.domain == "storage.googleapis.com"
10  ) 
11    
12attack_types:
13  - "Credential Phishing"
14tactics_and_techniques:
15  - "Evasion"
16  - "Free file host"
17  - "Open redirect"
18detection_methods:
19  - "URL analysis"
20id: "2820ff89-7ae4-5fef-beac-86dc349ac0d8"
to-top