Service abuse: Dropbox share from new domain

 1name: "Service abuse: Dropbox share from new domain"
 2description: "This Attack Surface Reduction (ASR) rule matches on Dropbox notifications with recently registered reply-to domains."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  //  Dropbox actual sending infrastructure
 9  and sender.email.email == "no-reply@dropbox.com"
10  and headers.auth_summary.spf.pass
11  and headers.auth_summary.dmarc.pass
12  and strings.ends_with(headers.auth_summary.spf.details.designator,
13                        '.dropbox.com'
14  )
15  
16  // the message needs to have a reply-to address
17  and length(headers.reply_to) > 0
18  
19  // 
20  // This rule makes use of a beta feature and is subject to change without notice
21  // using the beta feature in custom rules is not suggested until it has been formally released
22  // 
23  
24  // reply-to email address has never been sent an email by the org
25  and not beta.profile.by_reply_to().solicited
26  
27  // do not match if the reply_to address has been observed as a reply_to address
28  // of a message that has been classified as benign
29  and not beta.profile.by_reply_to().any_messages_benign
30  
31  // new reply-to domain
32  and any(headers.reply_to, network.whois(.email.domain).days_old < 30)  
33tags:
34 - "Attack surface reduction"
35attack_types:
36  - "Callback Phishing"
37  - "Credential Phishing"
38  - "BEC/Fraud"
39tactics_and_techniques:
40  - "Evasion"
41  - "Social engineering"
42detection_methods:
43  - "Content analysis"
44  - "Sender analysis"
45  - "Header analysis"
46id: "0e664bd9-c3dd-53ca-a912-bb1a627e22ae"