
Summary
This rule detects inbound messages containing links hosted on storage.googleapis.com that redirect to destinations outside googleapis.com. It uses link extraction from the message body (body.links) and a link-analysis step to resolve the final URL (effective_url). If the final destination’s root domain is not googleapis.com, the rule triggers. The goal is to identify abuse of Google Cloud Storage’s trusted reputation to bypass link reputation checks, enabling phishing, spam, or malware delivery. Observed lures include parcel delivery notifications impersonating carriers (UPS, GLS), gambling bonus offers, health product promotions, and storage quota warnings. The technique relies on open redirects or indirect redirects to lead users to external, potentially malicious domains, often with brand impersonation to increase credibility. Data sources implicated include network traffic associated with inbound links and cloud storage traffic patterns. Detection methods center on URL analysis and corroborating threat intelligence. The rule’s severity is medium, reflecting wide potential reach but dependence on user interaction and the possibility of legitimate redirects in rare cases.
Categories
- Web
- Cloud
- Network
Data Sources
- Network Traffic
- Cloud Storage
Created: 2026-07-01