← Back to Explore
sublimemediumRule
Service abuse: Dropbox share with suspicious sender or document name
The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name.
Detection Query
type.inbound
// Legitimate Dropbox sending infratructure
and sender.email.email == "no-reply@dropbox.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
and strings.ends_with(headers.auth_summary.spf.details.designator,
'.dropbox.com'
)
and strings.icontains(subject.subject, 'shared')
and strings.icontains(subject.subject, 'with you')
and (
// contains the word dropbox
// everything not "shared" and "with you" is actor controlled
strings.icontains(subject.subject, 'dropbox')
or strings.icontains(subject.subject, 'sharefile')
// sender names part of the subject
or (
// Billing Accounting
regex.icontains(subject.subject,
'Accounts? (?:Payable|Receivable).*shared',
'Billing Support.*shared'
)
// HR/Payroll/Legal/etc
or regex.icontains(subject.subject, 'Compliance HR.*shared')
or regex.icontains(subject.subject,
'(?:Compliance|Executive|Finance|\bHR\b|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*shared'
)
or regex.icontains(subject.subject, '(?:Department|Team).*shared')
or regex.icontains(subject.subject, 'Corporate Communications.*shared')
or regex.icontains(subject.subject, 'Employee Relations.*shared')
or regex.icontains(subject.subject, 'Office Manager.*shared')
or regex.icontains(subject.subject, 'Risk Management.*shared')
or regex.icontains(subject.subject, 'Payroll Admin(?:istrator).*shared')
or regex.icontains(subject.subject, 'Human Resources.*shared')
or regex.icontains(subject.subject, 'HR.*shared')
// IT related
or regex.icontains(subject.subject,
'IT Support.*shared',
'Information Technology.*shared',
'(?:Network|System)? Admin(?:istrator).*shared',
'Help Desk.*shared',
'Tech(?:nical) Support.*shared'
)
// an email address in the subject is also interesting
or regex.icontains(subject.subject, '\w+@\w+\.\w+.*shared')
)
// filename analysis
// the filename is also contianed in the subject line
or (
// untitled.paper
regex.icontains(subject.subject, 'shared.*\"Untitled.paper')
// scanner themed
or regex.icontains(subject.subject, 'shared.*\".*scanne[rd]')
// image theme
or regex.icontains(subject.subject, 'shared.*\".*_IMG_')
or regex.icontains(subject.subject, 'shared.*\".*IMG[_-](?:\d|\W)+\"')
// ondrive theme
or regex.icontains(subject.subject, 'shared.*\".*one_docx')
or regex.icontains(subject.subject, 'shared.*\".*One.?Drive')
or regex.icontains(subject.subject, 'shared.*\".*click here')
or regex.icontains(subject.subject, 'shared.*\".*Download PDF')
or regex.icontains(subject.subject, 'shared.*\".*Validate')
// Invoice Themes
or regex.icontains(subject.subject, 'shared.*\".*Invoice')
or regex.icontains(subject.subject, 'shared.*\".*INV\b')
or regex.icontains(subject.subject, 'shared.*\".*Payment')
or regex.icontains(subject.subject, 'shared.*\".*ACH')
or regex.icontains(subject.subject, 'shared.*\".*Wire Confirmation')
or regex.icontains(subject.subject, 'shared.*\".*P[O0]\W+?\d+\"')
or regex.icontains(subject.subject, 'shared.*\"P[O0](?:\W+?|\d+)')
or regex.icontains(subject.subject, 'shared.*\".*receipt')
or regex.icontains(subject.subject, 'shared.*\".*Billing')
or regex.icontains(subject.subject, 'shared.*\".*statement')
or regex.icontains(subject.subject, 'shared.*\".*Past Due')
or regex.icontains(subject.subject, 'shared.*\".*Remit(?:tance)?')
or regex.icontains(subject.subject, 'shared.*\".*Purchase Order')
or regex.icontains(subject.subject, 'shared.*\".*Settlement')
// contract language
or regex.icontains(subject.subject, 'shared.*\".*Contract Agreement')
or regex.icontains(subject.subject, 'shared.*\".*Pr[0o]p[0o]sal')
or regex.icontains(subject.subject, 'shared.*\".*Contract Doc')
or regex.icontains(subject.subject, 'shared.*\".*Claim Doc')
// Payroll/HR
// section also used in link_sharepoint_sus_name.yml with modified input
or regex.icontains(subject.subject, 'shared.*\".*Payroll')
or regex.icontains(subject.subject, 'shared.*\".*Employee Pay\b')
or regex.icontains(subject.subject, 'shared.*\".*Salary')
or regex.icontains(subject.subject, 'shared.*\".*Benefit Enrollment')
or regex.icontains(subject.subject, 'shared.*\".*Employee Handbook')
or regex.icontains(subject.subject, 'shared.*\".*Reimbursement Approved')
or regex.icontains(subject.subject,
'shared.*\".*(?:Faculty|Staff)\s*(?:\w+\s+){0,3}\s*Eval(?:uation)?'
)
// shared files/extenstion
or regex.icontains(subject.subject, 'shared.*\".*Shared.?File')
or regex.icontains(subject.subject, 'shared.*\".*Urgent')
or regex.icontains(subject.subject, 'shared.*\".*Important')
or regex.icontains(subject.subject, 'shared.*\".*Secure')
or regex.icontains(subject.subject, 'shared.*\".*Encrypt')
or regex.icontains(subject.subject, 'shared.*\".*shared')
or regex.icontains(subject.subject, 'shared.*\".*protected')
or regex.icontains(subject.subject, 'shared.*\".*\.docx?\.pdf')
or regex.icontains(subject.subject, 'shared.*\".*\.docx?\.paper')
// all caps filename allowing for numbers, punct and spaces, and an optional file extenstion
or regex.contains(subject.subject,
'shared \"[A-Z0-9[:punct:]\s]+(?:\.[a-zA-Z]{3,5})\"'
)
or regex.icontains(subject.subject,
'shared \".*(?:shared|sent).*\" with you'
)
// MFA theme
or regex.icontains(subject.subject, 'shared.*\".*Verification Code')
or regex.icontains(subject.subject, 'shared.*\".*\bMFA\b')
// the reply-to address is within the subject
or any(headers.reply_to,
strings.icontains(subject.subject, .email.domain.domain)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Service abuse: Dropbox share with suspicious sender or document name"
description: "The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name."
type: "rule"
severity: "medium"
source: |
type.inbound
// Legitimate Dropbox sending infratructure
and sender.email.email == "no-reply@dropbox.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
and strings.ends_with(headers.auth_summary.spf.details.designator,
'.dropbox.com'
)
and strings.icontains(subject.subject, 'shared')
and strings.icontains(subject.subject, 'with you')
and (
// contains the word dropbox
// everything not "shared" and "with you" is actor controlled
strings.icontains(subject.subject, 'dropbox')
or strings.icontains(subject.subject, 'sharefile')
// sender names part of the subject
or (
// Billing Accounting
regex.icontains(subject.subject,
'Accounts? (?:Payable|Receivable).*shared',
'Billing Support.*shared'
)
// HR/Payroll/Legal/etc
or regex.icontains(subject.subject, 'Compliance HR.*shared')
or regex.icontains(subject.subject,
'(?:Compliance|Executive|Finance|\bHR\b|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*shared'
)
or regex.icontains(subject.subject, '(?:Department|Team).*shared')
or regex.icontains(subject.subject, 'Corporate Communications.*shared')
or regex.icontains(subject.subject, 'Employee Relations.*shared')
or regex.icontains(subject.subject, 'Office Manager.*shared')
or regex.icontains(subject.subject, 'Risk Management.*shared')
or regex.icontains(subject.subject, 'Payroll Admin(?:istrator).*shared')
or regex.icontains(subject.subject, 'Human Resources.*shared')
or regex.icontains(subject.subject, 'HR.*shared')
// IT related
or regex.icontains(subject.subject,
'IT Support.*shared',
'Information Technology.*shared',
'(?:Network|System)? Admin(?:istrator).*shared',
'Help Desk.*shared',
'Tech(?:nical) Support.*shared'
)
// an email address in the subject is also interesting
or regex.icontains(subject.subject, '\w+@\w+\.\w+.*shared')
)
// filename analysis
// the filename is also contianed in the subject line
or (
// untitled.paper
regex.icontains(subject.subject, 'shared.*\"Untitled.paper')
// scanner themed
or regex.icontains(subject.subject, 'shared.*\".*scanne[rd]')
// image theme
or regex.icontains(subject.subject, 'shared.*\".*_IMG_')
or regex.icontains(subject.subject, 'shared.*\".*IMG[_-](?:\d|\W)+\"')
// ondrive theme
or regex.icontains(subject.subject, 'shared.*\".*one_docx')
or regex.icontains(subject.subject, 'shared.*\".*One.?Drive')
or regex.icontains(subject.subject, 'shared.*\".*click here')
or regex.icontains(subject.subject, 'shared.*\".*Download PDF')
or regex.icontains(subject.subject, 'shared.*\".*Validate')
// Invoice Themes
or regex.icontains(subject.subject, 'shared.*\".*Invoice')
or regex.icontains(subject.subject, 'shared.*\".*INV\b')
or regex.icontains(subject.subject, 'shared.*\".*Payment')
or regex.icontains(subject.subject, 'shared.*\".*ACH')
or regex.icontains(subject.subject, 'shared.*\".*Wire Confirmation')
or regex.icontains(subject.subject, 'shared.*\".*P[O0]\W+?\d+\"')
or regex.icontains(subject.subject, 'shared.*\"P[O0](?:\W+?|\d+)')
or regex.icontains(subject.subject, 'shared.*\".*receipt')
or regex.icontains(subject.subject, 'shared.*\".*Billing')
or regex.icontains(subject.subject, 'shared.*\".*statement')
or regex.icontains(subject.subject, 'shared.*\".*Past Due')
or regex.icontains(subject.subject, 'shared.*\".*Remit(?:tance)?')
or regex.icontains(subject.subject, 'shared.*\".*Purchase Order')
or regex.icontains(subject.subject, 'shared.*\".*Settlement')
// contract language
or regex.icontains(subject.subject, 'shared.*\".*Contract Agreement')
or regex.icontains(subject.subject, 'shared.*\".*Pr[0o]p[0o]sal')
or regex.icontains(subject.subject, 'shared.*\".*Contract Doc')
or regex.icontains(subject.subject, 'shared.*\".*Claim Doc')
// Payroll/HR
// section also used in link_sharepoint_sus_name.yml with modified input
or regex.icontains(subject.subject, 'shared.*\".*Payroll')
or regex.icontains(subject.subject, 'shared.*\".*Employee Pay\b')
or regex.icontains(subject.subject, 'shared.*\".*Salary')
or regex.icontains(subject.subject, 'shared.*\".*Benefit Enrollment')
or regex.icontains(subject.subject, 'shared.*\".*Employee Handbook')
or regex.icontains(subject.subject, 'shared.*\".*Reimbursement Approved')
or regex.icontains(subject.subject,
'shared.*\".*(?:Faculty|Staff)\s*(?:\w+\s+){0,3}\s*Eval(?:uation)?'
)
// shared files/extenstion
or regex.icontains(subject.subject, 'shared.*\".*Shared.?File')
or regex.icontains(subject.subject, 'shared.*\".*Urgent')
or regex.icontains(subject.subject, 'shared.*\".*Important')
or regex.icontains(subject.subject, 'shared.*\".*Secure')
or regex.icontains(subject.subject, 'shared.*\".*Encrypt')
or regex.icontains(subject.subject, 'shared.*\".*shared')
or regex.icontains(subject.subject, 'shared.*\".*protected')
or regex.icontains(subject.subject, 'shared.*\".*\.docx?\.pdf')
or regex.icontains(subject.subject, 'shared.*\".*\.docx?\.paper')
// all caps filename allowing for numbers, punct and spaces, and an optional file extenstion
or regex.contains(subject.subject,
'shared \"[A-Z0-9[:punct:]\s]+(?:\.[a-zA-Z]{3,5})\"'
)
or regex.icontains(subject.subject,
'shared \".*(?:shared|sent).*\" with you'
)
// MFA theme
or regex.icontains(subject.subject, 'shared.*\".*Verification Code')
or regex.icontains(subject.subject, 'shared.*\".*\bMFA\b')
// the reply-to address is within the subject
or any(headers.reply_to,
strings.icontains(subject.subject, .email.domain.domain)
)
)
)
attack_types:
- "Callback Phishing"
- "BEC/Fraud"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Sender analysis"
- "Header analysis"
- "Content analysis"
id: "27007c9f-e738-584f-8b49-74710f9ef9a6"