Service abuse: Outlook Groups with Google Sites link and evasion tag

calendar Jun 17, 2026  ·
Share on: linkedin copy

Detects inbound messages sent via Outlook Groups (groups.outlook.com) that contain links to Google Sites, combined with a suspicious short alphanumeric tag appended to either the message body or subject line. This pattern is commonly used to evade detection while redirecting recipients to credential harvesting pages hosted on Google Sites.

Sublime rule (View on GitHub)

 1name: "Service abuse: Outlook Groups with Google Sites link and evasion tag"
 2description: "Detects inbound messages sent via Outlook Groups (groups.outlook.com) that contain links to Google Sites, combined with a suspicious short alphanumeric tag appended to either the message body or subject line. This pattern is commonly used to evade detection while redirecting recipients to credential harvesting pages hosted on Google Sites."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and headers.return_path.domain.domain == "groups.outlook.com"
 8  and any(body.current_thread.links,
 9          .href_url.domain.domain == "sites.google.com"
10  )
11  and (
12    regex.icontains(body.current_thread.text, '\n[a-z0-9]{3}\s*$')
13    or regex.icontains(subject.base, '\s{2,}[a-z0-9]{3}\s*$')
14  )  
15attack_types:
16  - "Credential Phishing"
17tactics_and_techniques:
18  - "Evasion"
19  - "Free subdomain host"
20  - "Social engineering"
21detection_methods:
22  - "Content analysis"
23  - "Header analysis"
24  - "URL analysis"
25  - "Sender analysis"
26id: "c4a6c6bf-2d07-550e-8d67-8d8c6658b1a1"
to-top