← Back to Explore
sublimehighRule
Service abuse: Google account notification with links to free file host
Detects messages impersonating Google Accounts that contain links redirecting to known file hosting services
Detection Query
type.inbound
and sender.email.email == "no-reply@accounts.google.com"
and any(body.links, .href_url.domain.domain in $free_file_hosts)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Raw Content
name: "Service abuse: Google account notification with links to free file host"
description: "Detects messages impersonating Google Accounts that contain links redirecting to known file hosting services"
references:
- "https://x.com/nicksdjohnson/status/1912439023982834120"
- "https://easydmarc.com/blog/google-spoofed-via-dkim-replay-attack-a-technical-breakdown/"
type: "rule"
severity: "high"
source: |
type.inbound
and sender.email.email == "no-reply@accounts.google.com"
and any(body.links, .href_url.domain.domain in $free_file_hosts)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
- "Free file host"
detection_methods:
- "Header analysis"
- "URL analysis"
- "Sender analysis"
id: "59786115-b28c-599b-97fe-0831643c2a34"