From 7465bb5db2de9c73772a5b2f534b79d5f520e2df Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Fri, 15 May 2026 12:16:43 -0500 Subject: [PATCH 1/2] Create link_storage_google_drive.yml --- detection-rules/link_storage_google_drive.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 detection-rules/link_storage_google_drive.yml diff --git a/detection-rules/link_storage_google_drive.yml b/detection-rules/link_storage_google_drive.yml new file mode 100644 index 00000000000..d52c2af2263 --- /dev/null +++ b/detection-rules/link_storage_google_drive.yml @@ -0,0 +1,19 @@ +name: "Link: Google Cloud Storage impersonating with googledrive in URL path" +description: "Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) with paths ending in 'googledrive.html', indicating abuse of Google's cloud storage service to impersonate Google Drive and potentially deliver malicious content." +type: "rule" +severity: "high" +source: | + type.inbound + and any(body.links, + // use of storage.googleapis.com + .href_url.domain.domain == "storage.googleapis.com" + // with an actor controlled path that impersonates Google Drive + and strings.iends_with(.href_url.path, 'googledrive.html') + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Free file host" +detection_methods: + - "URL analysis" From 869fa08b80fecd80d235b53f4070fc43f93c0240 Mon Sep 17 00:00:00 2001 From: CI Bot Date: Fri, 15 May 2026 17:18:47 +0000 Subject: [PATCH 2/2] Auto-format MQL and add rule IDs --- detection-rules/link_storage_google_drive.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/link_storage_google_drive.yml b/detection-rules/link_storage_google_drive.yml index d52c2af2263..8ae4095b408 100644 --- a/detection-rules/link_storage_google_drive.yml +++ b/detection-rules/link_storage_google_drive.yml @@ -17,3 +17,4 @@ tactics_and_techniques: - "Free file host" detection_methods: - "URL analysis" +id: "fc41a43e-6eb7-5478-a19f-e7d2bac8ed8d"