type.inbound
// low amount of distinct links which are unrelated to the sender or not in tranco_10k
and length(distinct(filter(body.current_thread.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
and .href_url.domain.root_domain not in $tranco_10k
),
.href_url.url
)
) <= 5
// the link leads to a direct download of an MSI file
and any(body.current_thread.links, strings.iends_with(.href_url.url, '.msi'))
Playground
Test against your own EMLs or sample data.