Medium Severity

Brand impersonation: Google Meet with malicious link

Labels

Credential Phishing

Impersonation: Brand

Social engineering

Content analysis

URL analysis

Description

Detects messages with 'Join with Google Meet' display text that redirects to domains other than meet.google.com.

References

No references.

Sublime Security

Created Feb 12th, 2026 • Last updated Feb 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(body.current_thread.links,
        .display_text == "Join with Google Meet"
        and not strings.contains(.href_url.domain.domain, "meet.google.com")
)
and (
  // finding the logo tag in the html
  any(html.xpath(body.html, '//img[@alt="[Optional Logo]"]').nodes,
      .raw is not null
  )
  // OR find the green button
  or any(html.xpath(body.html, '//a[contains(@style, "rgb(52,168,83)")]').nodes,
         .display_text == "Join with Google Meet"
  )
)
// finding the "Guests"/"Join by phone" tables NOT being present in the message is a good way to filter out the legit messages. 
and length(html.xpath(body.html,
                      '//table/tbody/tr/td/h2[contains(@style, "color:rgb(60,64,67)")]'
           ).nodes
) == 0
// we're filtering out some more "generic" table heading for google meets with this one
and not any(distinct(map(html.xpath(body.html, '//table//h2').nodes,
                         .inner_text
                     )
            ),
            . in ("Meeting link", "Join by phone", "Guests")
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.