Medium Severity
Google Services Using G.co Shortlinks
Description
Identifies messages from authenticated Google domains containing g.co shortened URLs with a subdomain in either the message body links or thread text.
Sublime Security
Created Jan 29th, 2025 • Last updated Jan 29th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
// allow for multiple google TLDs
and sender.email.domain.sld == "google"
and headers.auth_summary.spf.pass
// g.co url shortner in links or the current thread to identify the workspace name
and (
any(body.links, .href_url.domain.root_domain == 'g.co' and .href_url.domain.subdomain is not null)
or (
strings.icontains(body.current_thread.text, '.g.co')
and regex.icontains(body.current_thread.text, '[^\s]+\.g\.co\b')
)
)
Playground
Test against your own EMLs or sample data.