Medium Severity

Google Notification alert link from non-Google sender

Labels

Credential Phishing

Social engineering

Description

This rule detects messages that leverage a link to notifications.google.com not from google and from an untrusted sender. Commonly abused in salesforce phishing campaigns.

References

https://www.reddit.com/r/Scams/comments/15oilcr/meta_business_suite_messenger_phishing_scam_can/

Sublime Security

Created Nov 22nd, 2023 • Last updated Jan 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
// ignore messages from google[.]com unlesss they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in ("google.com", "youtube.com", "nest.com")
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in (
    "google.com",
    "youtube.com",
    "nest.com"
  )
)
and any(body.links,
        .href_url.domain.domain == "notifications.google.com"
        and strings.starts_with(.href_url.path, "/g/p/")
)
and (
  any($suspicious_subjects, strings.icontains(subject.subject, .))
  or strings.ilike(subject.subject, '*verification*')
)
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
  // we've observed salesforce abuse
  or sender.email.domain.root_domain == "salesforce.com"
  or headers.return_path.domain.root_domain == "salesforce.com"
)
and not profile.by_sender().any_messages_benign

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.