Detects inbound messages that contain a link which directs to a direct executable (.exe) download. The rule scans message threads for links whose href_url.url ends with .exe and requires the link domain to differ from the sender's domain. It excludes domains that are in a top‑10k blocklist unless the domain is a known free file host (e.g., certain file hosting services). This combination aims to bias toward external, potentially malicious exe deliveries while reducing noise from internal domains or trusted hosts. The rule relies on sender-domain verification and URL analysis, with a low severity level and a noted potential for false positives such as benign advisories or legitimate software distribution links.