This rule detects inbound messages containing links that route through a redirect page hosted on Google Cloud Storage (storage.googleapis.com). Attackers abuse a legitimate cloud storage domain to host redirect.html pages that forward victims to malicious destinations, aiming to evade URL reputation checks and complicate final-destination analysis. The detector analyzes inbound message content (body.links) and matches any anchor href URLs whose path ends with redirect.html and whose domain is storage.googleapis.com. When a match is found, the rule flags as Credential Phishing with high severity and maps to tactics/techniques such as Evasion, Open Redirect, and Free File Host abuse. Detection relies on URL analysis and domain extraction from the message payload to identify suspicious redirects that could lead to credential theft or other credential-targeted attacks.