In MWG console, how can I configure the rule to block the executables only from malicious website only ?
do you have an existing rule to block executables or do you need to create a brand new rule?
Basically you need to extent the rule that blocks executables by a criteria like "URL.Categories" contains "Malicious Downloads". A sample rule could look like this:
You can create it as indicated above in my screenshot.
Anyway I am not sure if this will help a lot. Generally I would recommend to completely block access to the categories "Malicious Websites" and "Malivious Downloads", so not only deny access to executables but to everything that is malicious.
Probably it would make sense to validate that your policy is correct and strict enough to avoid infections. I don't think adding that single rule above will help, you should ensure that all the important components work e.g. SSL Scanner enabled, AV enabled, URL Filter enabled and blocking access to malicious categories, etc. As I don't know your policy it is hard to make an assumption what changes would have helped in such a case.