Medium Severity

Attachment: MSI installer file

Labels

Description

Recursively scans files and archives to detect MSI installer files.

Coercing a target user to run an MSI can be used as part of an 'IT Support' or 'software update' social engineering attack.

Execution of the delivered MSI could enable the attacker to execute malicious code on the target user's host.

References

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md

https://www.trendmicro.com/en_us/research/19/d/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts.html

https://delivr.to/payloads?id=9f7d3318-5072-4ba6-a7e2-14b4b2470a09

https://delivr.to/payloads?id=24b2db63-60f0-4948-bec4-163e038bf402

@ajpc500

Created Aug 17th, 2023 • Last updated Aug 5th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  any(attachments, .file_extension =~ "msi")
  or (
    any(attachments,
        .file_extension in~ $file_extensions_common_archives
        and any(file.explode(.), .file_extension =~ "msi")
    )
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.