← Back to Explore
sublimemediumRule
Attachment: Dropbox image lure with no Dropbox domains in links
Detects Dropbox phishing emails with no Dropbox links with image attachments from an untrusted sender.
Detection Query
type.inbound
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and any(body.links,
not strings.ilike(.href_url.domain.root_domain, "dropbox.*")
)
and any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
strings.ilike(.scan.ocr.raw, "*dropbox*")
and strings.ilike(.scan.ocr.raw, "*review*", "*sign*")
)
)
and (
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Dropbox image lure with no Dropbox domains in links"
description: "Detects Dropbox phishing emails with no Dropbox links with image attachments from an untrusted sender."
type: "rule"
severity: "medium"
source: |
type.inbound
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and any(body.links,
not strings.ilike(.href_url.domain.root_domain, "dropbox.*")
)
and any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
strings.ilike(.scan.ocr.raw, "*dropbox*")
and strings.ilike(.scan.ocr.raw, "*review*", "*sign*")
)
)
and (
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "File analysis"
- "Header analysis"
- "Optical Character Recognition"
- "Sender analysis"
id: "500eee2d-d793-5450-a87f-825ce27c897d"