Link: Direct download of executable file

calendar Mar 2, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects messages containing links that directly download executable (.exe) files, with a limited number of distinct links that are either unrelated to the sender's domain or not in the top 10k most popular websites.

Sublime rule (View on GitHub)

 1name: "Link: Direct download of executable file"
 2description: "Detects messages containing links that directly download executable (.exe) files, with a limited number of distinct links that are either unrelated to the sender's domain or not in the top 10k most popular websites."
 3type: "rule"
 4severity: "low"
 5false_positives:
 6  - "It is possible for this to match benign samples such as surface advisories related to executable file attachments and direct links to download applications."
 7source: |
 8  type.inbound
 9  // the link leads to a direct download of an EXE file
10  and any(body.current_thread.links,
11          strings.iends_with(.href_url.url, '.exe')
12          and not .href_url.domain.root_domain == sender.email.domain.root_domain
13          and not (
14            .href_url.domain.root_domain in $tranco_10k
15            // if the link is to a free_file_hosts that is in tracno, still match (bitbucket, githubusercontent, etc.)
16            and not .href_url.domain.root_domain in $free_file_hosts
17          )
18  )  
19
20tags:
21  - "Attack surface reduction"
22attack_types:
23  - "Malware/Ransomware"
24tactics_and_techniques:
25  - "Evasion"
26detection_methods:
27  - "Sender analysis"
28  - "URL analysis"
29id: "dbbfd077-ec96-5f5a-a234-c45a6bae92c8"

Related rules

to-top