heroui logo

Link: Google Cloud Storage link with index.php in URL

Sublime Rules

View Source
Summary
Technical summary: This rule detects inbound messages containing links hosted on storage.googleapis.com that reference an index.php path, either in the URL path or in the URL fragment. Attackers abuse Google Cloud Storage as a trusted host to host malicious content or phishing pages, aiming to bypass filters that restrict untrusted domains. The rule analyzes inbound message content (body.links) and matches when the href_url.domain.domain equals storage.googleapis.com and either the path ends with index.php or the fragment contains a leading index.php. When matched, it flags high-severity detections for credential phishing and related abuse vectors. The detection uses URL analysis of inbound links and targets a specific tactic of leveraging a legitimate cloud storage domain to host phishing or open-redirect content.
Categories
  • Endpoint
  • Web
Data Sources
  • Network Traffic
Created: 2026-07-01