Link to auto-download of a suspicious file type (unsolicited)

Severity: medium
Type: rule
Source: github.com/sublime-security/sublime-rules

A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA. Recursively explodes auto-downloaded files within archives to detect these file types. This rule also catches direct Google Drive download links (drive.google.com/uc?export=download) that automatically download archive files, as these are frequently abused by threat actors to distribute malware. This technique has been used by known threat actors in the wild.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Malware/Ransomware
Tactics and techniques	Encryption, Evasion, LNK, Social engineering

Event coverage

Message attribute
body
body.links (collection)
type

Rule body MQL

type.inbound
and any(body.links,
        // Detect suspicious direct Google Drive downloads
        (
          strings.icontains(.href_url.url, "drive.google.com/uc")
          and strings.icontains(.href_url.url, "export=download")
          and any(ml.link_analysis(., mode="aggressive").files_downloaded,
                  .file_extension in $file_extensions_common_archives
          )
        )
        or any(ml.link_analysis(.).files_downloaded,
               // call parse_exif to see if there is a sus file
               any(beta.parse_exif(.).fields,
                   .key == "ArchivedFileName"
                   and strings.ilike(.value,
                                     "*.dll",
                                     "*.html",
                                     "*.exe",
                                     "*.lnk",
                                     "*.js",
                                     "*.vba",
                                     "*.vbs",
                                     "*.vbe",
                                     "*.bat"
                   )
               )
               or any(file.explode(.),
                      (
                        // look for files in encrypted zips.
                        // if password cracking the zip wasn't
                        // successful, our only opportunity to look
                        // for suspicious file types is here under
                        // .zip.attempted_files
                        "encrypted_zip" in .flavors.yara
                        and any(.scan.zip.attempted_files,
                                strings.ilike(.,
                                              "*.dll",
                                              "*.html",
                                              "*.exe",
                                              "*.lnk",
                                              "*.js",
                                              "*.vba",
                                              "*.vbs",
                                              "*.vbe",
                                              "*.bat"
                                )
                        )
                      )
                      // for both non-encrypted zips and encrypted zips
                      // that were successfully cracked
                      or .file_extension in (
                        "dll",
                        "exe",
                        "html",
                        "lnk",
                        "js",
                        "vba",
                        "vbs",
                        "vbe",
                        "bat"
                      )
                      or strings.ilike(.file_name, "*.exe")
                      or (
                        .file_extension not in ("dll", "exe")
                        and (
                          .flavors.mime in ("application/x-dosexec")
                          or any(.flavors.yara, . in ('mz_file'))
                        )
                      )
                      or any(.flavors.yara, . == "macho_file")
               )
               and not (
                 ml.link_analysis(..).effective_url.domain.root_domain == "zoom.us"
                 and .file_extension == "exe"
               )
        )
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

Detection logic

Scope: inbound message.

inbound message
any of body.links where any holds:
- all of:
  - .href_url.url contains 'drive.google.com/uc'
  - .href_url.url contains 'export=download'
  - any of ml.link_analysis(., mode='aggressive').files_downloaded where:
    
    .file_extension in $file_extensions_common_archives
- any of ml.link_analysis(.).files_downloaded where any holds:
  - any of beta.parse_exif(.).fields where all hold:
    
    .key is 'ArchivedFileName'
    .value matches any of 9 patterns
    
    *.dll
    *.html
    *.exe
    *.lnk
    *.js
    *.vba
    *.vbs
    *.vbe
    *.bat
  - all of:
    
    any of file.explode(.) where any holds:
    
    all of:
    
    .flavors.yara contains 'encrypted_zip'
    any of .scan.zip.attempted_files where:
    
    . matches any of 9 patterns
    
    *.dll
    *.html
    *.exe
    *.lnk
    *.js
    *.vba
    *.vbs
    *.vbe
    *.bat
    .file_extension in ('dll', 'exe', 'html', 'lnk', 'js', 'vba', 'vbs', 'vbe', 'bat')
    .file_name matches '*.exe'
    all of:
    
    .file_extension not in ('dll', 'exe')
    any of:
    
    .flavors.mime in ('application/x-dosexec')
    any of .flavors.yara where:
    
    . in ('mz_file')
    any of .flavors.yara where:
    
    . is 'macho_file'
    not:
    
    all of:
    
    ml.link_analysis(.).effective_url.domain.root_domain is 'zoom.us'
    .file_extension is 'exe'
any of:
- not:
  - profile.by_sender().solicited
- all of:
  - profile.by_sender().any_messages_malicious_or_spam
  - not:
    
    profile.by_sender().any_messages_benign

Inspects: body.links, body.links[].href_url.url, type.inbound. Sensors: beta.parse_exif, file.explode, ml.link_analysis, profile.by_sender, strings.icontains, strings.ilike. Reference lists: $file_extensions_common_archives.

Indicators matched (26)

Field	Match	Value
`strings.icontains`	substring	`drive.google.com/uc`
`strings.icontains`	substring	`export=download`
`beta.parse_exif(ml.link_analysis(body.links[]).files_downloaded[]).fields[].key`	equals	`ArchivedFileName`
`strings.ilike`	substring	`*.dll`
`strings.ilike`	substring	`*.html`
`strings.ilike`	substring	`*.exe`
`strings.ilike`	substring	`*.lnk`
`strings.ilike`	substring	`*.js`
`strings.ilike`	substring	`*.vba`
`strings.ilike`	substring	`*.vbs`
`strings.ilike`	substring	`*.vbe`
`strings.ilike`	substring	`*.bat`

14 more

`file.explode(ml.link_analysis(body.links[]).files_downloaded[])[].flavors.yara`	contains	`encrypted_zip`
`file.explode(ml.link_analysis(body.links[]).files_downloaded[])[].file_extension`	member	`dll`
`file.explode(ml.link_analysis(body.links[]).files_downloaded[])[].file_extension`	member	`exe`
`file.explode(ml.link_analysis(body.links[]).files_downloaded[])[].file_extension`	member	`html`
`file.explode(ml.link_analysis(body.links[]).files_downloaded[])[].file_extension`	member	`lnk`
`file.explode(ml.link_analysis(body.links[]).files_downloaded[])[].file_extension`	member	`js`
`file.explode(ml.link_analysis(body.links[]).files_downloaded[])[].file_extension`	member	`vba`
`file.explode(ml.link_analysis(body.links[]).files_downloaded[])[].file_extension`	member	`vbs`
`file.explode(ml.link_analysis(body.links[]).files_downloaded[])[].file_extension`	member	`vbe`
`file.explode(ml.link_analysis(body.links[]).files_downloaded[])[].file_extension`	member	`bat`
`file.explode(ml.link_analysis(body.links[]).files_downloaded[])[].flavors.mime`	member	`application/x-dosexec`
`file.explode(ml.link_analysis(body.links[]).files_downloaded[])[].flavors.yara[]`	member	`mz_file`
`file.explode(ml.link_analysis(body.links[]).files_downloaded[])[].flavors.yara[]`	equals	`macho_file`
`ml.link_analysis(body.links[]).files_downloaded[].file_extension`	equals	`exe`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)