High Severity

Link: Google Cloud Storage hosted credential harvesting page

Description

Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) that follow a pattern of randomized bucket paths ending in a hashed directory and an index.html file. These links have been observed in messages impersonating professional networking and HR platform notifications, such as those mimicking recruiting outreach or job opportunity alerts from services like Sloneek and BambooHR, luring recipients to hosted credential harvesting pages.

References

No references.

Sublime Security
Created Jun 30th, 2026 • Last updated Jun 30th, 2026
Source
type.inbound
and any(body.links,
        (
          .href_url.domain.domain == "storage.googleapis.com"
          and regex.icontains(.href_url.path,
                              '^\/(?:[^-]+\-+)+[0-9a-f]{20}\/index\.html$'
          )
        )
        // workstream endcodes the URLs with sendgrid, if we click them, we can see if they redirect to the same strcuture
        or (
          .href_url.domain.domain == "sendgridlinks.workstream.is"
          and any(ml.link_analysis(., mode="aggressive").redirect_history,
                  .domain.domain == "storage.googleapis.com"
                  and regex.icontains(.path,
                                      '^\/(?:[^-]+\-+)+[0-9a-f]{20}\/index\.html$'
                  )
          )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started