Link: Direct MSI download from low reputation domain
Detects messages containing links that directly download MSI files from domains not in the top 10k trusted sites and unrelated to the sender's domain.
Sublime rule (View on GitHub)
1name: "Link: Direct MSI download from low reputation domain"
2description: "Detects messages containing links that directly download MSI files from domains not in the top 10k trusted sites and unrelated to the sender's domain."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 // low amount of distinct links which are unrelated to the sender or not in tranco_10k
8 and length(distinct(filter(body.current_thread.links,
9 .href_url.domain.root_domain != sender.email.domain.root_domain
10 and .href_url.domain.root_domain not in $tranco_10k
11 ),
12 .href_url.url
13 )
14 ) <= 5
15 // the link leads to a direct download of an MSI file
16 and any(body.current_thread.links, strings.iends_with(.href_url.url, '.msi'))
17tags:
18 - "Attack surface reduction"
19attack_types:
20 - "Malware/Ransomware"
21tactics_and_techniques:
22 - "Evasion"
23detection_methods:
24 - "Sender analysis"
25 - "URL analysis"
26id: "1eb77537-ae78-57c1-a5b5-a0aa65bddaf5"