← Back to Explore
sublimemediumRule
Link: Google Cloud Storage redirect to external domain
Messages contain links hosted on storage.googleapis.com that, when followed, redirect to a destination outside of googleapis.com. This technique abuses Google Cloud Storage's trusted reputation to bypass link reputation checks, with the actual payload hosted on an unrelated external domain. Observed lures include parcel delivery notifications impersonating shipping carriers (UPS, GLS), gambling bonus offers, health product promotions, and storage quota warnings.
MITRE ATT&CK
initial-accessdefense-evasion
Detection Query
type.inbound
and any(body.links,
.href_url.domain.domain == "storage.googleapis.com"
and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain != "googleapis.com"
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Link: Google Cloud Storage redirect to external domain"
description: "Messages contain links hosted on storage.googleapis.com that, when followed, redirect to a destination outside of googleapis.com. This technique abuses Google Cloud Storage's trusted reputation to bypass link reputation checks, with the actual payload hosted on an unrelated external domain. Observed lures include parcel delivery notifications impersonating shipping carriers (UPS, GLS), gambling bonus offers, health product promotions, and storage quota warnings."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(body.links,
.href_url.domain.domain == "storage.googleapis.com"
and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain != "googleapis.com"
)
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
- "Spam"
- "Malware/Ransomware"
tactics_and_techniques:
- "Free file host"
- "Open redirect"
- "Impersonation: Brand"
- "Social engineering"
- "Evasion"
detection_methods:
- "URL analysis"
- "Threat intelligence"
id: "c687f8bc-0e07-5c22-93d7-7dcf2d7986e8"