High Severity

Attachment: OLE external relationship containing file scheme link to executable filetype

Labels

Malware/Ransomware

Evasion

Description

This rule identifies attachments containing file scheme links pointing to executable file types, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software.

References

No references.

Sublime Security

Created Mar 24th, 2024 • Last updated Nov 24th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        (
          .file_extension in~ $file_extensions_macros
          or .file_extension in~ $file_extensions_common_archives
          or (
            .file_extension is null
            and .file_type == "unknown"
            and .content_type == "application/octet-stream"
            and .size < 100000000
          )
        )
        and length(file.oletools(.).relationships) < 500
        and any(file.oletools(.).relationships,
                .target_url.scheme == "file"
                and regex.icontains(.target_url.path,
                                    '\.(action|ahk|apk|app|appimage|applescript|bat|bin|cab|cmd|command|cpl|dll|dmg|exe|gadget|hta|inf|ins|ipa|isu|jar|job|js|jse|lnk|msi|msp|paf|pif|ps1|rgs|run|scr|sct|sh|shb|vb|vbe|vbs)($|[^\w])'
                )
                // avoid flagging on internal/network drives mappings
                and not (
                  strings.starts_with(.target_url.scheme, "file")
                  and not regex.imatch(.target_url.path, '/?[a-z]:/')
                )
        )
)
and (
  not profile.by_sender().any_messages_benign
  or profile.by_sender().any_messages_malicious_or_spam
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.