Detection rules › Sublime MQL
Google services using g.co shortlinks
Identifies messages from authenticated Google domains containing g.co shortened URLs with a subdomain in either the message body links or thread text.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Evasion, Free email provider |
Event coverage
Rule body MQL
type.inbound
// allow for multiple google TLDs
and sender.email.domain.sld == "google"
and headers.auth_summary.spf.pass
// g.co url shortner in links or the current thread to identify the workspace name
and (
any(body.links,
.href_url.domain.root_domain == 'g.co'
and .href_url.domain.subdomain is not null
)
or (
strings.icontains(body.current_thread.text, '.g.co')
and regex.icontains(body.current_thread.text, '[^\s]+\.g\.co\b')
)
)
Detection logic
Scope: inbound message.
Identifies messages from authenticated Google domains containing g.co shortened URLs with a subdomain in either the message body links or thread text.
- inbound message
- sender.email.domain.sld is 'google'
- headers.auth_summary.spf.pass
any of:
any of
body.linkswhere all hold:- .href_url.domain.root_domain is 'g.co'
- .href_url.domain.subdomain is set
all of:
- body.current_thread.text contains '.g.co'
- body.current_thread.text matches '[^\\s]+\\.g\\.co\\b'
Inspects: body.current_thread.text, body.links, body.links[].href_url.domain.root_domain, body.links[].href_url.domain.subdomain, headers.auth_summary.spf.pass, sender.email.domain.sld, type.inbound. Sensors: regex.icontains, strings.icontains.
Indicators matched (4)
| Field | Match | Value |
|---|---|---|
sender.email.domain.sld | equals | google |
body.links[].href_url.domain.root_domain | equals | g.co |
strings.icontains | substring | .g.co |
regex.icontains | regex | [^\s]+\.g\.co\b |