← Back to Explore
sublimehighRule
Link: Executable file download with suspicious message content
Detects inbound messages containing links to executable files combined with high-confidence security, financial, or credential theft content indicators, while excluding legitimate trusted domains with proper DMARC authentication.
Detection Query
type.inbound
and length(body.links) < 10
and any(body.links,
any($file_extensions_executables,
strings.iends_with(..href_url.url, strings.concat(".", .))
// the display text is not going to reveal the executable extension
and not strings.iends_with(..display_text, strings.concat(".", .))
)
and .href_url.path is not null
// filter out some executables
and not any(["com", "action", "js", "app"],
strings.iends_with(..href_url.url, .)
)
// .app links from Google Play
and not .href_url.domain.domain == "play.google.com"
and not .href_url.domain.root_domain in $high_trust_sender_root_domains
)
and not (
(subject.is_reply or subject.is_forward)
and length(body.previous_threads) > 0
and (length(headers.references) > 0 or headers.in_reply_to is not null)
)
and 2 of (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Security and Authentication", "Financial Communications")
and .confidence == "high"
),
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
),
sender.email.domain.tld in $suspicious_tlds
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Executable file download with suspicious message content"
description: "Detects inbound messages containing links to executable files combined with high-confidence security, financial, or credential theft content indicators, while excluding legitimate trusted domains with proper DMARC authentication."
type: "rule"
severity: "high"
source: |
type.inbound
and length(body.links) < 10
and any(body.links,
any($file_extensions_executables,
strings.iends_with(..href_url.url, strings.concat(".", .))
// the display text is not going to reveal the executable extension
and not strings.iends_with(..display_text, strings.concat(".", .))
)
and .href_url.path is not null
// filter out some executables
and not any(["com", "action", "js", "app"],
strings.iends_with(..href_url.url, .)
)
// .app links from Google Play
and not .href_url.domain.domain == "play.google.com"
and not .href_url.domain.root_domain in $high_trust_sender_root_domains
)
and not (
(subject.is_reply or subject.is_forward)
and length(body.previous_threads) > 0
and (length(headers.references) > 0 or headers.in_reply_to is not null)
)
and 2 of (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Security and Authentication", "Financial Communications")
and .confidence == "high"
),
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
),
sender.email.domain.tld in $suspicious_tlds
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Natural Language Understanding"
- "Sender analysis"
- "URL analysis"
- "Header analysis"
id: "ce9a4926-6e38-5af4-8740-4a141e84958b"