{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/google-cloud-storage/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["phishing","redirect","google-cloud-storage"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAn ongoing phishing campaign observed in March 2026 abuses Google Cloud Storage (storage.googleapis.com) as a redirector. Attackers are using this service to proxy victims to various scam pages. These scam pages are primarily hosted on domains ending in .autos. The campaign employs various phishing themes, including fake Walmart surveys, Dell giveaways, Netflix rewards, antivirus renewal alerts, storage full warnings, and fake job lures. This tactic allows attackers to obfuscate the final destination of the phishing link, making it harder for victims to identify malicious content before they are redirected to a scam page. Defenders should monitor for unusual redirects originating from Google Cloud Storage to untrusted domains.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a phishing email to potential victims.\u003c/li\u003e\n\u003cli\u003eThe email contains a link that appears legitimate, hosted on Google Cloud Storage (storage.googleapis.com).\u003c/li\u003e\n\u003cli\u003eThe victim clicks on the link, initiating a request to the specified Google Cloud Storage URL.\u003c/li\u003e\n\u003cli\u003eGoogle Cloud Storage, configured by the attacker, redirects the victim to a malicious domain, typically ending in .autos.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser is redirected to the scam page hosted on the .autos domain.\u003c/li\u003e\n\u003cli\u003eThe scam page presents a fake survey, giveaway, reward, alert, or job lure designed to trick the victim.\u003c/li\u003e\n\u003cli\u003eThe victim enters personal information or credentials into the fake form.\u003c/li\u003e\n\u003cli\u003eThe attacker harvests the stolen information for malicious purposes, such as identity theft or financial fraud.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis phishing campaign can lead to the theft of personal and financial information. Victims who interact with the scam pages may experience financial losses, identity theft, or malware infections. The use of Google Cloud Storage as a redirector makes it harder to detect and block these phishing attacks, potentially impacting a large number of users. Sectors targeted include retail customers (Walmart), technology consumers (Dell, Netflix), and job seekers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for redirects originating from \u003ccode\u003estorage.googleapis.com\u003c/code\u003e to suspicious domains, particularly those ending in \u003ccode\u003e.autos\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule to detect redirects from Google Cloud Storage to .autos domains.\u003c/li\u003e\n\u003cli\u003eEducate users about phishing tactics and the dangers of clicking on suspicious links.\u003c/li\u003e\n\u003cli\u003eConsider blocking or sandboxing domains ending in \u003ccode\u003e.autos\u003c/code\u003e if they are not part of your organization\u0026rsquo;s trusted ecosystem.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-15T12:00:00Z","date_published":"2026-03-15T12:00:00Z","id":"/briefs/2026-03-google-cloud-storage-redirector/","summary":"A phishing campaign leverages Google Cloud Storage as a redirect layer to serve victims scam pages related to surveys, giveaways, rewards, alerts, and job lures, primarily hosted on .autos domains.","title":"Phishing Campaign Abusing Google Cloud Storage Redirectors","url":"https://feed.craftedsignal.io/briefs/2026-03-google-cloud-storage-redirector/"}],"language":"en","title":"CraftedSignal Threat Feed — Google-Cloud-Storage","version":"https://jsonfeed.org/version/1.1"}