From 74e7f19cf1005d4dfb70e6058b3c8219b91d529d Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Fri, 15 May 2026 12:26:11 -0500
Subject: [PATCH 1/2] Create link_storage_google_slugstamp.yml

---
 .../link_storage_google_slugstamp.yml         | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 detection-rules/link_storage_google_slugstamp.yml

diff --git a/detection-rules/link_storage_google_slugstamp.yml b/detection-rules/link_storage_google_slugstamp.yml
new file mode 100644
index 00000000000..b99ba42527d
--- /dev/null
+++ b/detection-rules/link_storage_google_slugstamp.yml
@@ -0,0 +1,21 @@
+name: "Link: Google Cloud Storage with suspicious URL pattern"
+description: "Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) with suspicious URL path patterns that follow a specific actor-controlled structure commonly used for hosting malicious content."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(body.links,
+          // storage.googleapis.com
+          .href_url.domain.domain == "storage.googleapis.com"
+          // observed pattern in actor controlled url path
+          and regex.contains(.href_url.path,
+                             '^\/[a-z0-9]+-[a-z0-9]+-\d{8}\-[0-9a-f]+\/[^\.]+\.html'
+          )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Free file host"
+  - "Evasion"
+detection_methods:
+  - "URL analysis"

From 795b0b9b736f3ca78cf0e0d0b052d701ad49df90 Mon Sep 17 00:00:00 2001
From: CI Bot <hello@sublimesecurity.com>
Date: Fri, 15 May 2026 17:28:28 +0000
Subject: [PATCH 2/2] Auto-format MQL and add rule IDs

---
 detection-rules/link_storage_google_slugstamp.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/link_storage_google_slugstamp.yml b/detection-rules/link_storage_google_slugstamp.yml
index b99ba42527d..339deb2989b 100644
--- a/detection-rules/link_storage_google_slugstamp.yml
+++ b/detection-rules/link_storage_google_slugstamp.yml
@@ -19,3 +19,4 @@ tactics_and_techniques:
   - "Evasion"
 detection_methods:
   - "URL analysis"
+id: "1005e483-9e29-5a6b-b360-49b35d87054b"