← Back to Explore
sublimelowRule
Link: Direct download of executable file
Detects messages containing links that directly download executable (.exe) files, with a limited number of distinct links that are either unrelated to the sender's domain or not in the top 10k most popular websites.
Detection Query
type.inbound
// the link leads to a direct download of an EXE file
and any(body.current_thread.links,
strings.iends_with(.href_url.url, '.exe')
and not .href_url.domain.root_domain == sender.email.domain.root_domain
and not (
.href_url.domain.root_domain in $tranco_10k
// if the link is to a free_file_hosts that is in tracno, still match (bitbucket, githubusercontent, etc.)
and not .href_url.domain.root_domain in $free_file_hosts
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Link: Direct download of executable file"
description: "Detects messages containing links that directly download executable (.exe) files, with a limited number of distinct links that are either unrelated to the sender's domain or not in the top 10k most popular websites."
type: "rule"
severity: "low"
false_positives:
- "It is possible for this to match benign samples such as surface advisories related to executable file attachments and direct links to download applications."
source: |
type.inbound
// the link leads to a direct download of an EXE file
and any(body.current_thread.links,
strings.iends_with(.href_url.url, '.exe')
and not .href_url.domain.root_domain == sender.email.domain.root_domain
and not (
.href_url.domain.root_domain in $tranco_10k
// if the link is to a free_file_hosts that is in tracno, still match (bitbucket, githubusercontent, etc.)
and not .href_url.domain.root_domain in $free_file_hosts
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "Sender analysis"
- "URL analysis"
id: "dbbfd077-ec96-5f5a-a234-c45a6bae92c8"