• Sublime Core Feed
Medium Severity

Link to auto-download of a suspicious file type (unsolicited)

Labels

Malware/Ransomware
Encryption
Evasion
LNK
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA

Description

A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.

Recursively explodes auto-downloaded files within archives to detect these file types.

This rule also catches direct Google Drive download links (drive.google.com/uc?export=download) that automatically download archive files, as these are frequently abused by threat actors to distribute malware.

This technique has been used by known threat actors in the wild.

References

Sublime Security
Created Aug 17th, 2023 • Last updated Mar 5th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(body.links,
        // Detect suspicious direct Google Drive downloads
        (
          strings.icontains(.href_url.url, "drive.google.com/uc") 
          and strings.icontains(.href_url.url, "export=download")
          and any(ml.link_analysis(., mode="aggressive").files_downloaded,
              .file_extension in $file_extensions_common_archives
          )
        )
        
        or any(ml.link_analysis(.).files_downloaded,
            any(file.explode(.),
                (
                  // look for files in encrypted zips.
                  // if password cracking the zip wasn't
                  // successful, our only opportunity to look
                  // for suspicious file types is here under
                  // .zip.attempted_files
                  "encrypted_zip" in .flavors.yara
                  and any(.scan.zip.attempted_files,
                          strings.ilike(., "*.dll", "*.html", "*.exe", "*.lnk", "*.js", "*.vba", "*.vbs", "*.vbe")
                  )
                )
                // for both non-encrypted zips and encrypted zips
                // that were successfully cracked
                or .file_extension in ("dll", "exe", "html", "lnk", "js", "vba", "vbs", "vbe", "bat")
                or strings.ilike(.file_name, "*.exe")
                or (
                  .file_extension not in ("dll", "exe")
                  and (
                    .flavors.mime in ("application/x-dosexec")
                    or any(.flavors.yara, . in ('mz_file'))
                  )
                )
                or any(.flavors.yara, . == "macho_file")
            )
            and not (
              ml.link_analysis(..).effective_url.domain.root_domain == "zoom.us"
              and .file_extension == "exe"
            )
        )
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
MQL Rule Console
•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started