diff --git a/detection-rules/link_storage_google_slugstamp.yml b/detection-rules/link_storage_google_slugstamp.yml
new file mode 100644
index 00000000000..339deb2989b
--- /dev/null
+++ b/detection-rules/link_storage_google_slugstamp.yml
@@ -0,0 +1,22 @@
+name: "Link: Google Cloud Storage with suspicious URL pattern"
+description: "Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) with suspicious URL path patterns that follow a specific actor-controlled structure commonly used for hosting malicious content."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(body.links,
+          // storage.googleapis.com
+          .href_url.domain.domain == "storage.googleapis.com"
+          // observed pattern in actor controlled url path
+          and regex.contains(.href_url.path,
+                             '^\/[a-z0-9]+-[a-z0-9]+-\d{8}\-[0-9a-f]+\/[^\.]+\.html'
+          )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Free file host"
+  - "Evasion"
+detection_methods:
+  - "URL analysis"
+id: "1005e483-9e29-5a6b-b360-49b35d87054b"