← Back to Explore
sublimelowRule
Link: Google Firebase dynamic link that redirects to new domain (<7 days old)
An attacker may use Google's Firebase Dynamic Links to redirect a user to a malicious site. This rule identifies Firebase Dynamic Links where the destination domain is less than a week old.
Detection Query
type.inbound
and any(body.links,
.href_url.domain.root_domain =~ "goo.gl"
and strings.icontains(.href_url.domain.domain, "app")
and any(ml.link_analysis(.).redirect_history,
network.whois(.domain).days_old < 7
)
)
Author
ajpc500
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Google Firebase dynamic link that redirects to new domain (<7 days old)"
description: |
An attacker may use Google's Firebase Dynamic Links to redirect a user to a malicious site.
This rule identifies Firebase Dynamic Links where the destination domain is less than a week old.
type: "rule"
authors:
- twitter: "ajpc500"
severity: "low"
source: |
type.inbound
and any(body.links,
.href_url.domain.root_domain =~ "goo.gl"
and strings.icontains(.href_url.domain.domain, "app")
and any(ml.link_analysis(.).redirect_history,
network.whois(.domain).days_old < 7
)
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "URL analysis"
- "Whois"
id: "5a204a37-3120-53c1-a55a-5f4f09c61dc4"