EXPLORE
← Back to Explore
sublimemediumRule

Link: Google Cloud Storage redirect to external domain

Messages contain links hosted on storage.googleapis.com that, when followed, redirect to a destination outside of googleapis.com. This technique abuses Google Cloud Storage's trusted reputation to bypass link reputation checks, with the actual payload hosted on an unrelated external domain. Observed lures include parcel delivery notifications impersonating shipping carriers (UPS, GLS), gambling bonus offers, health product promotions, and storage quota warnings.

MITRE ATT&CK

initial-accessdefense-evasion

Detection Query

type.inbound
and any(body.links,
        .href_url.domain.domain == "storage.googleapis.com"
        and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain != "googleapis.com"
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Link: Google Cloud Storage redirect to external domain"
description: "Messages contain links hosted on storage.googleapis.com that, when followed, redirect to a destination outside of googleapis.com. This technique abuses Google Cloud Storage's trusted reputation to bypass link reputation checks, with the actual payload hosted on an unrelated external domain. Observed lures include parcel delivery notifications impersonating shipping carriers (UPS, GLS), gambling bonus offers, health product promotions, and storage quota warnings."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(body.links,
          .href_url.domain.domain == "storage.googleapis.com"
          and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain != "googleapis.com"
  )
tags:
  - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
  - "Spam"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Free file host"
  - "Open redirect"
  - "Impersonation: Brand"
  - "Social engineering"
  - "Evasion"
detection_methods:
  - "URL analysis"
  - "Threat intelligence"
id: "c687f8bc-0e07-5c22-93d7-7dcf2d7986e8"