diff --git a/detection-rules/link_storage_google_drive.yml b/detection-rules/link_storage_google_drive.yml
new file mode 100644
index 00000000000..8ae4095b408
--- /dev/null
+++ b/detection-rules/link_storage_google_drive.yml
@@ -0,0 +1,20 @@
+name: "Link: Google Cloud Storage impersonating with googledrive in URL path"
+description: "Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) with paths ending in 'googledrive.html', indicating abuse of Google's cloud storage service to impersonate Google Drive and potentially deliver malicious content."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(body.links,
+          // use of storage.googleapis.com
+          .href_url.domain.domain == "storage.googleapis.com"
+          // with an actor controlled path that impersonates Google Drive
+          and strings.iends_with(.href_url.path, 'googledrive.html')
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Free file host"
+detection_methods:
+  - "URL analysis"
+id: "fc41a43e-6eb7-5478-a19f-e7d2bac8ed8d"