Service Abuse: Dropbox Share From New Domain

 1name: "Service Abuse: Dropbox Share From New Domain"
 2description: "This Attack Surface Reduction (ASR) rule matches on Dropbox notifications with recently registered reply-to domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  //  Dropbox actual sending infrastructure
 9  and sender.email.email == "no-reply@dropbox.com"
10  and headers.auth_summary.spf.pass
11  and headers.auth_summary.dmarc.pass
12  and strings.ends_with(headers.auth_summary.spf.details.designator,
13                      '.dropbox.com'
14  )
15  
16  
17  // the message needs to have a reply-to address
18  and length(headers.reply_to) > 0
19  
20  // reply-to email address has never received an email from your org
21  and not any(headers.reply_to, .email.email in $recipient_emails)
22  
23  // new reply-to domain
24  and any(filter(headers.reply_to,
25                  // negate .com.au which doesn't provide created date for domains
26                  .email.domain.tld not in ('com.au')
27          ),
28          network.whois(.email.domain).days_old < 30
29  )  
30tags:
31 - "Attack surface reduction"
32attack_types:
33  - "Callback Phishing"
34  - "Credential Phishing"
35  - "BEC/Fraud"
36tactics_and_techniques:
37  - "Evasion"
38  - "Social engineering"
39detection_methods:
40  - "Content analysis"
41  - "Sender analysis"
42  - "Header analysis"
43id: "0e664bd9-c3dd-53ca-a912-bb1a627e22ae"