Medium Severity

Service abuse: Google application integration redirecting to suspicious hosts

Labels

Credential Phishing

Malware/Ransomware

Description

Detects legitimate Google application integration emails that contain links redirecting to free file hosting services or free subdomain hosts, including Microsoft OAuth redirects to suspicious domains. These could indicate abuse of Google's legitimate service for malicious redirects.

References

No references.

Sublime Security

Created Dec 17th, 2025 • Last updated Dec 17th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and sender.email.email == "noreply-application-integration@google.com"
and headers.auth_summary.dmarc.pass
and length(body.links) < 10
and any(body.links,
        .href_url.domain.domain in $free_file_hosts
        or .href_url.domain.root_domain in $free_file_hosts
        or .href_url.domain.domain in $free_subdomain_hosts
        // Mimecast link logic
        or (
          .href_url.domain.root_domain in (
            "mimecastprotect.com",
            "mimecast.com"
          )
          and any(.href_url.query_params_decoded['domain'],
                  strings.parse_domain(.).domain in $free_file_hosts
                  or strings.parse_domain(.).root_domain in $free_file_hosts
                  or strings.parse_domain(.).root_domain in $free_subdomain_hosts
                  or . in (
                    "storage.cloud.google.com",
                    "login.microsoftonline.com"
                  )
          )
        )
        or network.whois(.href_url.domain).days_old < 30
        // abuse observed
        or .href_url.domain.root_domain == "share.google"
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.