
Summary
Technical rule summary: This rule detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) where the URL path ends with /ls or /lis, indicating a short-path pattern used by redirectors or landing pages. It matches the path with the regex ^/[^\/]+/li?s$ (case-insensitive) and requires the link to reside in the message body. The detection relies on URL analysis and content analysis to identify suspicious GCS-hosted landing pages used in spam and credential-phishing campaigns. Campaign observations describe multilingual spam and impersonation lures (e.g., fake parcel notifications impersonating FedEx and T&T) that appear to share a common delivery infrastructure across multiple senders. The rule attributes activity to Spam and Credential Phishing, and aligns with tactics such as free file hosting, evasion, social engineering, and brand impersonation. This rule operates on inbound content and flags or blocks messages that abuse GCS short-path links as suspicious.
Categories
- Web
- Network
- Cloud
Data Sources
- Cloud Storage
Created: 2026-07-01