Detection rules › Sublime MQL
Link: Direct download of executable file
Detects messages containing links that directly download executable (.exe) files, with a limited number of distinct links that are either unrelated to the sender's domain or not in the top 10k most popular websites.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Malware/Ransomware |
| Tactics and techniques | Evasion |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| sender.email |
| type |
Rule body MQL
type.inbound
// the link leads to a direct download of an EXE file
and any(body.current_thread.links,
strings.iends_with(.href_url.url, '.exe')
and not .href_url.domain.root_domain == sender.email.domain.root_domain
and not (
.href_url.domain.root_domain in $tranco_10k
// if the link is to a free_file_hosts that is in tracno, still match (bitbucket, githubusercontent, etc.)
and not .href_url.domain.root_domain in $free_file_hosts
)
)
Detection logic
Scope: inbound message.
Detects messages containing links that directly download executable (.exe) files, with a limited number of distinct links that are either unrelated to the sender's domain or not in the top 10k most popular websites.
- inbound message
any of
body.current_thread.linkswhere all hold:- .href_url.url ends with '.exe'
not:
- .href_url.domain.root_domain is sender.email.domain.root_domain
not:
all of:
- .href_url.domain.root_domain in $tranco_10k
not:
- .href_url.domain.root_domain in $free_file_hosts
Inspects: body.current_thread.links, body.current_thread.links[].href_url.domain.root_domain, body.current_thread.links[].href_url.url, sender.email.domain.root_domain, type.inbound. Sensors: strings.iends_with. Reference lists: $free_file_hosts, $tranco_10k.
Indicators matched (1)
| Field | Match | Value |
|---|---|---|
strings.iends_with | suffix | .exe |