Link to auto-downloaded DMG in archive

name: "Link to auto-downloaded DMG in archive"
description: "A link in the body of the message downloads an archive containing a DMG file. The message is not from a common or trusted sender and is unsolicited."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(body.links,
          any(ml.link_analysis(.).files_downloaded,
              .file_extension in~ $file_extensions_common_archives
              and any(file.explode(.), .file_extension == "dmg")
          )
  )
  and (
    (
      profile.by_sender().prevalence != "common"
      and not profile.by_sender().solicited
    )
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )

tags:
  - "Attack surface reduction"
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "Archive analysis"
  - "File analysis"
  - "Sender analysis"
  - "URL analysis"
id: "dc04cdd8-6023-578b-a0d5-c59f4b76cacd"