← Back to Explore
sublimehighRule
Link: Google Cloud Storage impersonating with googledrive in URL path
Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) with paths ending in 'googledrive.html', indicating abuse of Google's cloud storage service to impersonate Google Drive and potentially deliver malicious content.
Detection Query
type.inbound
and any(body.links,
// use of storage.googleapis.com
.href_url.domain.domain == "storage.googleapis.com"
// with an actor controlled path that impersonates Google Drive
and strings.iends_with(.href_url.path, 'googledrive.html')
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Google Cloud Storage impersonating with googledrive in URL path"
description: "Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) with paths ending in 'googledrive.html', indicating abuse of Google's cloud storage service to impersonate Google Drive and potentially deliver malicious content."
type: "rule"
severity: "high"
source: |
type.inbound
and any(body.links,
// use of storage.googleapis.com
.href_url.domain.domain == "storage.googleapis.com"
// with an actor controlled path that impersonates Google Drive
and strings.iends_with(.href_url.path, 'googledrive.html')
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Free file host"
detection_methods:
- "URL analysis"
id: "fc41a43e-6eb7-5478-a19f-e7d2bac8ed8d"