Detection rules › Sublime MQL
Link: Direct MSI download from low reputation domain
Detects messages containing links that directly download MSI files from domains not in the top 10k trusted sites and unrelated to the sender's domain.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Malware/Ransomware |
| Tactics and techniques | Evasion |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| sender.email |
| type |
Rule body MQL
type.inbound
// low amount of distinct links which are unrelated to the sender or not in tranco_10k
and length(distinct(filter(body.current_thread.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
and .href_url.domain.root_domain not in $tranco_10k
),
.href_url.url
)
) <= 5
// the link leads to a direct download of an MSI file
and any(body.current_thread.links, strings.iends_with(.href_url.url, '.msi'))
Detection logic
Scope: inbound message.
Detects messages containing links that directly download MSI files from domains not in the top 10k trusted sites and unrelated to the sender's domain.
- inbound message
- length(distinct(filter(body.current_thread.links, .href_url.domain.root_domain != sender.email.domain.root_domain and .href_url.domain.root_domain not in $tranco_10k), .href_url.url)) ≤ 5
any of
body.current_thread.linkswhere:- .href_url.url ends with '.msi'
Inspects: body.current_thread.links, body.current_thread.links[].href_url.domain.root_domain, body.current_thread.links[].href_url.url, sender.email.domain.root_domain, type.inbound. Sensors: strings.iends_with. Reference lists: $tranco_10k.
Indicators matched (1)
| Field | Match | Value |
|---|---|---|
strings.iends_with | suffix | .msi |