← Back to Explore
sublimemediumRule
Brand spoof: Dropbox
Impersonation of Dropbox, a file sharing service; specifically spoofs the Dropbox sender domain.
Detection Query
type.inbound
and sender.email.domain.root_domain == 'dropbox.com'
and not headers.auth_summary.dmarc.pass
// mitigates situations where an ESG misconfiguration could cause auth failures
and not strings.ends_with(headers.message_id, ".dropbox.com>")
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand spoof: Dropbox"
description: |
Impersonation of Dropbox, a file sharing service; specifically spoofs the Dropbox sender domain.
type: "rule"
severity: "medium"
source: |
type.inbound
and sender.email.domain.root_domain == 'dropbox.com'
and not headers.auth_summary.dmarc.pass
// mitigates situations where an ESG misconfiguration could cause auth failures
and not strings.ends_with(headers.message_id, ".dropbox.com>")
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Impersonation: Brand"
- "Spoofing"
detection_methods:
- "Header analysis"
- "Sender analysis"
id: "bd99740a-07e1-5c6f-92f6-b223478effa8"