Link: Executable file download with suspicious message content

calendar Oct 16, 2025  ·
Share on: linkedin copy

Detects inbound messages containing links to executable files combined with high-confidence security, financial, or credential theft content indicators, while excluding legitimate trusted domains with proper DMARC authentication.

Sublime rule (View on GitHub)

 1name: "Link: Executable file download with suspicious message content"
 2description: "Detects inbound messages containing links to executable files combined with high-confidence security, financial, or credential theft content indicators, while excluding legitimate trusted domains with proper DMARC authentication."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and any(body.links,
 9          any($file_extensions_executables,
10              strings.iends_with(..href_url.url, strings.concat(".", .))
11              // the display text is not going to reveal the executable extension
12              and not strings.iends_with(..display_text, strings.concat(".", .))
13          )
14          and .href_url.path is not null
15          // filter out some executables
16          and not any(["com", "action", "js", "app"],
17                      strings.iends_with(..href_url.url, .)
18          )
19          // .app links from Google Play
20          and not .href_url.domain.domain == "play.google.com"
21          and not .href_url.domain.root_domain in $high_trust_sender_root_domains
22  )
23  and not (
24    (subject.is_reply or subject.is_forward)
25    and length(body.previous_threads) > 0
26    and (length(headers.references) > 0 or headers.in_reply_to is not null)
27  )
28  and 2 of (
29    any(ml.nlu_classifier(body.current_thread.text).topics,
30        .name in ("Security and Authentication", "Financial Communications")
31        and .confidence == "high"
32    ),
33    any(ml.nlu_classifier(body.current_thread.text).intents,
34        .name == "cred_theft" and .confidence == "high"
35    ),
36    sender.email.domain.tld in $suspicious_tlds
37  )
38  
39  // negate highly trusted sender domains unless they fail DMARC authentication
40  and (
41    (
42      sender.email.domain.root_domain in $high_trust_sender_root_domains
43      and not headers.auth_summary.dmarc.pass
44    )
45    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
46  )  
47
48attack_types:
49  - "Credential Phishing"
50  - "Malware/Ransomware"
51tactics_and_techniques:
52  - "Evasion"
53  - "Social engineering"
54detection_methods:
55  - "Content analysis"
56  - "Natural Language Understanding"
57  - "Sender analysis"
58  - "URL analysis"
59  - "Header analysis"
60id: "ce9a4926-6e38-5af4-8740-4a141e84958b"
to-top