EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Credential Phishing via Dropbox comment abuse

This rule detects Credential Phishing attacks exploiting familiar brands via Dropbox comments. These attacks originate from legitimate Dropbox infrastructure and attempt to pivot to external freemail addresses.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
defense-evasioninitial-access

Detection Query

type.inbound
and length(attachments) == 0

// Legitimate Dropbox sending infratructure
and (
  sender.email.domain.root_domain in ('dropbox.net', 'dropbox.com')
  // check for DMARC fail for spoofs
  and headers.auth_summary.dmarc.pass
)

// Dropbox Logo or text
and (
  any(ml.logo_detect(file.message_screenshot()).brands, .name == "Dropbox")
  or strings.contains(body.current_thread.text, "Dropbox")
)

// Require common brand impersonation
and strings.ilike(body.current_thread.text,
                  "*mcafee*",
                  "*norton*",
                  "*geek*squad*",
                  "*paypal*",
                  "*ebay*",
                  "*symantec*",
                  "*best buy*",
                  "*lifelock*",
                  "*geek*support*"
)
and 3 of (
  strings.ilike(body.current_thread.text, '*purchase*'),
  strings.ilike(body.current_thread.text, '*payment*'),
  strings.ilike(body.current_thread.text, '*transaction*'),
  strings.ilike(body.current_thread.text, '*subscription*'),
  strings.ilike(body.current_thread.text, '*antivirus*'),
  strings.ilike(body.current_thread.text, '*order*'),
  strings.ilike(body.current_thread.text, '*support*'),
  strings.ilike(body.current_thread.text, '*help line*'),
  strings.ilike(body.current_thread.text, '*receipt*'),
  strings.ilike(body.current_thread.text, '*invoice*'),
  strings.ilike(body.current_thread.text, '*call*'),
  strings.ilike(body.current_thread.text, '*cancel*'),
  strings.ilike(body.current_thread.text, '*renew*'),
  strings.ilike(body.current_thread.text, '*refund*'),
  strings.ilike(body.current_thread.text, '*transfer*'),
  strings.ilike(body.current_thread.text, '*message*')
)

// there's an email in the body
and regex.contains(body.current_thread.text,
                   "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
)

// and it's likely a freemail
and any($free_email_providers, strings.icontains(body.current_thread.text, .))

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Credential Phishing via Dropbox comment abuse"
description: "This rule detects Credential Phishing attacks exploiting familiar brands via Dropbox comments. These attacks originate from legitimate Dropbox infrastructure and attempt to pivot to external freemail addresses."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and length(attachments) == 0
  
  // Legitimate Dropbox sending infratructure
  and (
    sender.email.domain.root_domain in ('dropbox.net', 'dropbox.com')
    // check for DMARC fail for spoofs
    and headers.auth_summary.dmarc.pass
  )
  
  // Dropbox Logo or text
  and (
    any(ml.logo_detect(file.message_screenshot()).brands, .name == "Dropbox")
    or strings.contains(body.current_thread.text, "Dropbox")
  )
  
  // Require common brand impersonation
  and strings.ilike(body.current_thread.text,
                    "*mcafee*",
                    "*norton*",
                    "*geek*squad*",
                    "*paypal*",
                    "*ebay*",
                    "*symantec*",
                    "*best buy*",
                    "*lifelock*",
                    "*geek*support*"
  )
  and 3 of (
    strings.ilike(body.current_thread.text, '*purchase*'),
    strings.ilike(body.current_thread.text, '*payment*'),
    strings.ilike(body.current_thread.text, '*transaction*'),
    strings.ilike(body.current_thread.text, '*subscription*'),
    strings.ilike(body.current_thread.text, '*antivirus*'),
    strings.ilike(body.current_thread.text, '*order*'),
    strings.ilike(body.current_thread.text, '*support*'),
    strings.ilike(body.current_thread.text, '*help line*'),
    strings.ilike(body.current_thread.text, '*receipt*'),
    strings.ilike(body.current_thread.text, '*invoice*'),
    strings.ilike(body.current_thread.text, '*call*'),
    strings.ilike(body.current_thread.text, '*cancel*'),
    strings.ilike(body.current_thread.text, '*renew*'),
    strings.ilike(body.current_thread.text, '*refund*'),
    strings.ilike(body.current_thread.text, '*transfer*'),
    strings.ilike(body.current_thread.text, '*message*')
  )
  
  // there's an email in the body
  and regex.contains(body.current_thread.text,
                     "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
  )
  
  // and it's likely a freemail
  and any($free_email_providers, strings.icontains(body.current_thread.text, .))
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Out of band pivot"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Computer Vision"
  - "Sender analysis"

id: "744d494d-adbf-54fe-8813-2ad7c2c6e245"