Service abuse: Google OAuth with suspicious redirect destination

calendar Mar 12, 2026  ·
Share on: linkedin copy

Detects messages containing Google OAuth links with prompt=none parameter that redirect to suspicious domains including free file hosts, free subdomain providers, or self-service creation platforms.

Sublime rule (View on GitHub)

 1name: "Service abuse: Google OAuth with suspicious redirect destination"
 2description: "Detects messages containing Google OAuth links with prompt=none parameter that redirect to suspicious domains including free file hosts, free subdomain providers, or self-service creation platforms."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.domain.domain == "accounts.google.com"
 9          and strings.istarts_with(.href_url.path, '/o/oauth2/v2/auth')
10          and strings.icontains(.href_url.url, 'prompt=none')
11  )  
12attack_types:
13  - "Credential Phishing"
14tactics_and_techniques:
15  - "Evasion"
16  - "Free file host"
17  - "Free subdomain host"
18  - "Open redirect"
19  - "Social engineering"
20detection_methods:
21  - "URL analysis"
22  - "Threat intelligence"
23id: "462764c9-f0bc-5fe9-abe4-04db8adc4874"
to-top