This detection rule identifies attempts to distribute the ConnectWise ScreenConnect installer through links that lead to executable files (.exe) with relay domains that deviate from the expected sender or organizational domains. Analyzing any links in inbound messages, the rule checks if any link URL ends with ".exe" and employs aggressive link analysis to confirm that the downloaded files are related to ScreenConnect. If a relay domain is detected, it verifies against organizational domains and the sender's domain to flag any discrepancies. This serves to deter cyber threats categorized as malware or ransomware stemming from social engineering and evasion tactics, which could deploy remote access tools without user consent or awareness.