Medium Severity

Link: Google Cloud Storage with short-path link delivery

Description

Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) where the URL path ends in 'ls' or 'lis', matching a pattern used to host redirector or landing pages. Observed across multilingual spam and unsolicited promotional messages — including fake parcel delivery notifications impersonating FedEx and T&T, as well as product advertisement lures — sent from a variety of compromised or unrelated sender domains. The consistent use of this specific GCS path pattern suggests a shared delivery infrastructure across multiple senders.

References

No references.

Sublime Security
Created Jun 30th, 2026 • Last updated Jun 30th, 2026
Source
type.inbound
and any(body.links,
        .href_url.domain.domain == "storage.googleapis.com"
        // path ends with lis or ls
        and regex.icontains(.href_url.path, '^/[^\/]+/li?s$')
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started