← Back to Explore
sublimelowRule
Link: Direct MSI download from low reputation domain
Detects messages containing links that directly download MSI files from domains not in the top 10k trusted sites and unrelated to the sender's domain.
Detection Query
type.inbound
// low amount of distinct links which are unrelated to the sender or not in tranco_10k
and length(distinct(filter(body.current_thread.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
and .href_url.domain.root_domain not in $tranco_10k
),
.href_url.url
)
) <= 5
// the link leads to a direct download of an MSI file
and any(body.current_thread.links, strings.iends_with(.href_url.url, '.msi'))
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Link: Direct MSI download from low reputation domain"
description: "Detects messages containing links that directly download MSI files from domains not in the top 10k trusted sites and unrelated to the sender's domain."
type: "rule"
severity: "low"
source: |
type.inbound
// low amount of distinct links which are unrelated to the sender or not in tranco_10k
and length(distinct(filter(body.current_thread.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
and .href_url.domain.root_domain not in $tranco_10k
),
.href_url.url
)
) <= 5
// the link leads to a direct download of an MSI file
and any(body.current_thread.links, strings.iends_with(.href_url.url, '.msi'))
tags:
- "Attack surface reduction"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "Sender analysis"
- "URL analysis"
id: "1eb77537-ae78-57c1-a5b5-a0aa65bddaf5"