Medium Severity

Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender

Labels

Credential Phishing

Evasion

Description

This rule detects messages containing links to lookerstudio with a non standard lookerstudio template from a new and unsolicited sender.

References

No references.

Sublime Security

Created Nov 6th, 2023 • Last updated Jan 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(body.current_thread.text) < 1000
and regex.icontains(body.current_thread.text,
                    '(shared.{0,30}with you|View Document)'
)
and any(body.links, .href_url.domain.domain == "lookerstudio.google.com")
and (
  profile.by_sender().prevalence in ("new", "outlier")
  and not profile.by_sender().solicited
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.