← Back to Explore
sublimemediumRule
Brand impersonation: Dropbox
Impersonation of Dropbox, a file sharing service.
Detection Query
type.inbound
and (
strings.ilike(sender.display_name, '*dropbox*')
or strings.ilevenshtein(sender.display_name, 'dropbox') <= 1
or strings.ilike(sender.email.domain.domain, '*dropbox*')
or any(body.links,
.display_url.domain.root_domain == "dropbox.com"
and .mismatched
and not .href_url.domain.root_domain in (
"mimecast.com",
"mimecastprotect.com"
)
)
or regex.icontains(body.current_thread.text,
'invited you to view the file ".*" on Dropbox',
'dr[o0]pb[o0]x.{0,20}share.{0,20}f[i1|][i1|l]es?',
'dropbox sign (?:account|team)'
)
// dropbox style button
or length(html.xpath(body.html,
"//a[contains(@style, 'background-color: #0070e0') and contains(@style, 'color: white') and contains(@style, 'width: 210px') and contains(@style, 'max-width: 210px') and contains(@style, 'border-radius: 4px') and contains(@style, 'text-align: center') and contains(@style, 'font-size: 15px')]"
).nodes
) == 1
)
and sender.email.domain.root_domain not in~ (
'dropbox.com',
'dropboxforum.com',
'dropboxsign.com'
)
and (
any(attachments,
.file_type in $file_types_images
and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*dropbox*"))
)
or any(body.links,
(
(
strings.ilike(.display_text,
"*review*",
"*sign*",
"*view*",
"*completed document*",
"*open agreement*",
"*open document*",
"*open file*"
)
and not strings.ilike(.display_text, "*view this email in*")
)
or (
.display_text is null
and .href_url.domain.root_domain in $free_file_hosts
)
)
and (
.href_url.domain.root_domain != "dropbox.com"
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
)
)
or (
length(ml.logo_detect(file.message_screenshot()).brands) != 0
and all(ml.logo_detect(file.message_screenshot()).brands,
.name == "Dropbox"
)
)
)
and sender.email.email not in $recipient_emails
// negate dropbox fax (aka hellofax)
and not sender.email.domain.root_domain == 'hellofax.com'
// negate iCloud Private Message Relay
and not (
sender.email.domain.domain == "privaterelay.appleid.com"
or any(headers.hops, any(.fields, .name == "X-ICLOUD-HME"))
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Dropbox"
description: |
Impersonation of Dropbox, a file sharing service.
type: "rule"
severity: "medium"
source: |
type.inbound
and (
strings.ilike(sender.display_name, '*dropbox*')
or strings.ilevenshtein(sender.display_name, 'dropbox') <= 1
or strings.ilike(sender.email.domain.domain, '*dropbox*')
or any(body.links,
.display_url.domain.root_domain == "dropbox.com"
and .mismatched
and not .href_url.domain.root_domain in (
"mimecast.com",
"mimecastprotect.com"
)
)
or regex.icontains(body.current_thread.text,
'invited you to view the file ".*" on Dropbox',
'dr[o0]pb[o0]x.{0,20}share.{0,20}f[i1|][i1|l]es?',
'dropbox sign (?:account|team)'
)
// dropbox style button
or length(html.xpath(body.html,
"//a[contains(@style, 'background-color: #0070e0') and contains(@style, 'color: white') and contains(@style, 'width: 210px') and contains(@style, 'max-width: 210px') and contains(@style, 'border-radius: 4px') and contains(@style, 'text-align: center') and contains(@style, 'font-size: 15px')]"
).nodes
) == 1
)
and sender.email.domain.root_domain not in~ (
'dropbox.com',
'dropboxforum.com',
'dropboxsign.com'
)
and (
any(attachments,
.file_type in $file_types_images
and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*dropbox*"))
)
or any(body.links,
(
(
strings.ilike(.display_text,
"*review*",
"*sign*",
"*view*",
"*completed document*",
"*open agreement*",
"*open document*",
"*open file*"
)
and not strings.ilike(.display_text, "*view this email in*")
)
or (
.display_text is null
and .href_url.domain.root_domain in $free_file_hosts
)
)
and (
.href_url.domain.root_domain != "dropbox.com"
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
)
)
or (
length(ml.logo_detect(file.message_screenshot()).brands) != 0
and all(ml.logo_detect(file.message_screenshot()).brands,
.name == "Dropbox"
)
)
)
and sender.email.email not in $recipient_emails
// negate dropbox fax (aka hellofax)
and not sender.email.domain.root_domain == 'hellofax.com'
// negate iCloud Private Message Relay
and not (
sender.email.domain.domain == "privaterelay.appleid.com"
or any(headers.hops, any(.fields, .name == "X-ICLOUD-HME"))
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "File analysis"
- "Header analysis"
- "Sender analysis"
id: "61f11d12-7033-53c9-a95a-df982ff31c4b"