sublimehighRule

Link: Google Cloud Storage with suspicious URL pattern

Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) with suspicious URL path patterns that follow a specific actor-controlled structure commonly used for hosting malicious content.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1036 T1027

defense-evasion

Detection Query

type.inbound
and any(body.links,
        // storage.googleapis.com
        .href_url.domain.domain == "storage.googleapis.com"
        // observed pattern in actor controlled url path
        and regex.contains(.href_url.path,
                           '^\/[a-z0-9]+-[a-z0-9]+-\d{8}\-[0-9a-f]+\/[^\.]+\.html'
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Link: Google Cloud Storage with suspicious URL pattern"
description: "Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) with suspicious URL path patterns that follow a specific actor-controlled structure commonly used for hosting malicious content."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(body.links,
          // storage.googleapis.com
          .href_url.domain.domain == "storage.googleapis.com"
          // observed pattern in actor controlled url path
          and regex.contains(.href_url.path,
                             '^\/[a-z0-9]+-[a-z0-9]+-\d{8}\-[0-9a-f]+\/[^\.]+\.html'
          )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Free file host"
  - "Evasion"
detection_methods:
  - "URL analysis"
id: "1005e483-9e29-5a6b-b360-49b35d87054b"