Medium Severity

Link: Commonly Abused Web Service redirecting to ZIP file

Labels

Malware/Ransomware

Free file host

Description

Detects messages containing links from URL shorteners, free file hosts, or suspicious domains that redirect to ZIP file downloads, potentially indicating malware distribution.

References

No references.

Sublime Security

Created Mar 10th, 2026 • Last updated Mar 10th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and 0 < length(body.links) < 15
and length(recipients.to) == 1
and recipients.to[0].email.domain.valid
and any(body.links,
        (
          // root domain is commonly abused
          .href_url.domain.root_domain in $url_shorteners
          or .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_subdomain_hosts
          or .href_url.domain.root_domain in $self_service_creation_platform_domains
          or .href_url.domain.tld in $suspicious_tlds
          // or somewhat recently reg'd domain
          or network.whois(.href_url.domain).days_old < 30
        )
        // we DONT want the original link to end in zip
        and not strings.iends_with(.href_url.url, '.zip')
        // we DO want the effective (redirected) url to end in zip
        and strings.iends_with(ml.link_analysis(.).effective_url.url, '.zip')
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.