Medium Severity
Link to auto-download of a suspicious file type (unsolicited)
Description
A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.
Recursively explodes auto-downloaded files within archives to detect these file types.
This rule also catches direct Google Drive download links (drive.google.com/uc?export=download) that automatically download archive files, as these are frequently abused by threat actors to distribute malware.
This technique has been used by known threat actors in the wild.
References
Sublime Security
Created Aug 17th, 2023 • Last updated Mar 5th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and any(body.links,
// Detect suspicious direct Google Drive downloads
(
strings.icontains(.href_url.url, "drive.google.com/uc")
and strings.icontains(.href_url.url, "export=download")
and any(ml.link_analysis(., mode="aggressive").files_downloaded,
.file_extension in $file_extensions_common_archives
)
)
or any(ml.link_analysis(.).files_downloaded,
any(file.explode(.),
(
// look for files in encrypted zips.
// if password cracking the zip wasn't
// successful, our only opportunity to look
// for suspicious file types is here under
// .zip.attempted_files
"encrypted_zip" in .flavors.yara
and any(.scan.zip.attempted_files,
strings.ilike(., "*.dll", "*.html", "*.exe", "*.lnk", "*.js", "*.vba", "*.vbs", "*.vbe")
)
)
// for both non-encrypted zips and encrypted zips
// that were successfully cracked
or .file_extension in ("dll", "exe", "html", "lnk", "js", "vba", "vbs", "vbe", "bat")
or strings.ilike(.file_name, "*.exe")
or (
.file_extension not in ("dll", "exe")
and (
.flavors.mime in ("application/x-dosexec")
or any(.flavors.yara, . in ('mz_file'))
)
)
or any(.flavors.yara, . == "macho_file")
)
and not (
ml.link_analysis(..).effective_url.domain.root_domain == "zoom.us"
and .file_extension == "exe"
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
Playground
Test against your own EMLs or sample data.