Link: Google Cloud Storage with suspicious URL pattern

calendar May 26, 2026  ·
Share on: linkedin copy

Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) with suspicious URL path patterns that follow a specific actor-controlled structure commonly used for hosting malicious content.

Sublime rule (View on GitHub)

 1name: "Link: Google Cloud Storage with suspicious URL pattern"
 2description: "Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) with suspicious URL path patterns that follow a specific actor-controlled structure commonly used for hosting malicious content."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          // storage.googleapis.com
 9          .href_url.domain.domain == "storage.googleapis.com"
10          // observed pattern in actor controlled url path
11          and regex.contains(.href_url.path,
12                             '^\/[a-z0-9]+-[a-z0-9]+-\d{8}\-[0-9a-f]+\/[^\.]+\.html'
13          )
14  )  
15attack_types:
16  - "Credential Phishing"
17tactics_and_techniques:
18  - "Free file host"
19  - "Evasion"
20detection_methods:
21  - "URL analysis"
22id: "1005e483-9e29-5a6b-b360-49b35d87054b"
to-top