← Back to Explore
sublimemediumRule
Service abuse: Google OAuth with suspicious redirect destination
Detects messages containing Google OAuth links with prompt=none parameter that redirect to suspicious domains including free file hosts, free subdomain providers, or self-service creation platforms.
Detection Query
type.inbound
and any(body.links,
.href_url.domain.domain == "accounts.google.com"
and strings.istarts_with(.href_url.path, '/o/oauth2/v2/auth')
and strings.icontains(.href_url.url, 'prompt=none')
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Service abuse: Google OAuth with suspicious redirect destination"
description: "Detects messages containing Google OAuth links with prompt=none parameter that redirect to suspicious domains including free file hosts, free subdomain providers, or self-service creation platforms."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(body.links,
.href_url.domain.domain == "accounts.google.com"
and strings.istarts_with(.href_url.path, '/o/oauth2/v2/auth')
and strings.icontains(.href_url.url, 'prompt=none')
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Free file host"
- "Free subdomain host"
- "Open redirect"
- "Social engineering"
detection_methods:
- "URL analysis"
- "Threat intelligence"
id: "462764c9-f0bc-5fe9-abe4-04db8adc4874"