heroui logo

Link: Google Cloud Storage hosted credential harvesting page

Sublime Rules

View Source
Summary
Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) that follow a pattern of randomized bucket paths ending in a hashed directory and /index.html. The rule matches direct storage.googleapis.com URLs with a path regex ^/(?:[^-]+\-+)+[0-9a-f]{20}/index.html$ and also captures cases where a link is redirected through sendgridlinks.workstream.is, with redirect history leading to storage.googleapis.com and the same path pattern. This structure has been observed in credential harvesting pages embedded in phishing messages that impersonate professional networking or HR notifications (e.g., recruiting outreach from services like Sloneek and BambooHR). It flags Credential Phishing using URL and content analysis. Tactics/techniques include using a free file host (Google Cloud Storage pages), evasion via redirects, social engineering, and brand impersonation. The rule targets inbound web content and credential-related exposure, with Web Credential as the primary data context and Web/Cloud assets as the domain coverage.
Categories
  • Web
  • Cloud
Data Sources
  • Web Credential
Created: 2026-07-01