This detection rule is designed to identify messages that contain links directing to MSI (Microsoft Installer) files hosted on domains that are not recognized as reputable, specifically those not listed among the top 10,000 trusted sites. The rule evaluates email messages for links that are both distinct and unrelated to the sender's domain. The analysis involves checking the links in the email's current thread and filtering them based on their root domain. If the domain of the link does not match the sender's domain and is also not part of the top-trusted sites, it triggers an alert when the number of such distinct links is minimal (5 or fewer). Additionally, the rule checks that at least one of the links concludes with the '.msi' file extension, indicating a direct download of a potential malware/ransomware file. This detection leverages sender analysis and URL analysis techniques to assess potential threats in communications, helping to reduce the attack surface for organizations.