A system and method for interception of malicious files, the system comprising an agent component planted in a mail server; a protection server configured to communicate with the agent component, the protection server comprising a hardware processor configured to execute code instructions for: fetching by the agent component a file received at the mail server; generating a file execution record of at least a list of tuple addresses used by the fetched file; verifying validity of the tuple address types; and indicating that a file is suspicious in case a tuple address is not valid.