Service Abuse: Dropbox Share with Suspicious Sender or Document Name
The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name.
Sublime rule (View on GitHub)
1name: "Service Abuse: Dropbox Share with Suspicious Sender or Document Name"
2description: "The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 // Legitimate Dropbox sending infratructure
9 and sender.email.email == "no-reply@dropbox.com"
10 and headers.auth_summary.spf.pass
11 and headers.auth_summary.dmarc.pass
12 and strings.ends_with(headers.auth_summary.spf.details.designator,
13 '.dropbox.com'
14 )
15 and strings.icontains(subject.subject, 'shared')
16 and strings.icontains(subject.subject, 'with you')
17 and (
18 // contains the word dropbox
19 // everything not "shared" and "with you" is actor controlled
20 strings.icontains(subject.subject, 'dropbox')
21 or strings.icontains(subject.subject, 'sharefile')
22
23 // sender names part of the subject
24 or (
25 // Billing Accounting
26 regex.icontains(subject.subject,
27 'Accounts? (?:Payable|Receivable).*shared',
28 'Billing Support.*shared'
29 )
30
31 // HR/Payroll/Legal/etc
32 or regex.icontains(subject.subject, 'Compliance HR.*shared')
33 or regex.icontains(subject.subject,
34 '(?:Compliance|Executive|Finance|\bHR\b|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*shared'
35 )
36 or regex.icontains(subject.subject, '(?:Department|Team).*shared')
37 or regex.icontains(subject.subject, 'Corporate Communications.*shared')
38 or regex.icontains(subject.subject, 'Employee Relations.*shared')
39 or regex.icontains(subject.subject, 'Office Manager.*shared')
40 or regex.icontains(subject.subject, 'Risk Management.*shared')
41 or regex.icontains(subject.subject, 'Payroll Admin(?:istrator).*shared')
42 or regex.icontains(subject.subject, 'Human Resources.*shared')
43 or regex.icontains(subject.subject, 'HR.*shared')
44
45 // IT related
46 or regex.icontains(subject.subject,
47 'IT Support.*shared',
48 'Information Technology.*shared',
49 '(?:Network|System)? Admin(?:istrator).*shared',
50 'Help Desk.*shared',
51 'Tech(?:nical) Support.*shared'
52 )
53
54 // an email address in the subject is also interesting
55 or regex.icontains(subject.subject, '\w+@\w+\.\w+.*shared')
56 )
57 // filename analysis
58 // the filename is also contianed in the subject line
59 or
60 (
61 // untitled.paper
62 regex.icontains(subject.subject, 'shared.*\"Untitled.paper')
63 // scanner themed
64 or regex.icontains(subject.subject, 'shared.*\".*scanne[rd]')
65 // image theme
66 or regex.icontains(subject.subject, 'shared.*\".*_IMG_')
67 or regex.icontains(subject.subject, 'shared.*\".*IMG[_-](?:\d|\W)+\"')
68 // ondrive theme
69 or regex.icontains(subject.subject, 'shared.*\".*one_docx')
70 or regex.icontains(subject.subject, 'shared.*\".*One.?Drive')
71 or regex.icontains(subject.subject, 'shared.*\".*click here')
72 or regex.icontains(subject.subject, 'shared.*\".*Download PDF')
73 or regex.icontains(subject.subject, 'shared.*\".*Validate')
74
75 // Invoice Themes
76 or regex.icontains(subject.subject, 'shared.*\".*Invoice')
77 or regex.icontains(subject.subject, 'shared.*\".*INV\b')
78 or regex.icontains(subject.subject, 'shared.*\".*Payment')
79 or regex.icontains(subject.subject, 'shared.*\".*ACH')
80 or regex.icontains(subject.subject, 'shared.*\".*Wire Confirmation')
81 or regex.icontains(subject.subject, 'shared.*\".*P[O0]\W+?\d+\"')
82 or regex.icontains(subject.subject, 'shared.*\"P[O0](?:\W+?|\d+)')
83 or regex.icontains(subject.subject, 'shared.*\".*receipt')
84 or regex.icontains(subject.subject, 'shared.*\".*Billing')
85 or regex.icontains(subject.subject, 'shared.*\".*statement')
86 or regex.icontains(subject.subject, 'shared.*\".*Past Due')
87 or regex.icontains(subject.subject, 'shared.*\".*Remit(?:tance)?')
88 or regex.icontains(subject.subject, 'shared.*\".*Purchase Order')
89 or regex.icontains(subject.subject, 'shared.*\".*Settlement')
90
91 // contract language
92 or regex.icontains(subject.subject, 'shared.*\".*Contract Agreement')
93 or regex.icontains(subject.subject, 'shared.*\".*Pr[0o]p[0o]sal')
94 or regex.icontains(subject.subject, 'shared.*\".*Contract Doc')
95
96 or regex.icontains(subject.subject, 'shared.*\".*Claim Doc')
97
98 // Payroll/HR
99 or regex.icontains(subject.subject, 'shared.*\".*Payroll')
100 or regex.icontains(subject.subject, 'shared.*\".*Employee Pay\b')
101 or regex.icontains(subject.subject, 'shared.*\".*Salary')
102 or regex.icontains(subject.subject, 'shared.*\".*Benefit Enrollment')
103 or regex.icontains(subject.subject, 'shared.*\".*Employee Handbook')
104 or regex.icontains(subject.subject, 'shared.*\".*Reimbursement Approved')
105
106
107 // shared files/extenstion
108 or regex.icontains(subject.subject, 'shared.*\".*Shared.?File')
109 or regex.icontains(subject.subject, 'shared.*\".*Urgent')
110 or regex.icontains(subject.subject, 'shared.*\".*Important')
111 or regex.icontains(subject.subject, 'shared.*\".*Secure')
112 or regex.icontains(subject.subject, 'shared.*\".*Encrypt')
113 or regex.icontains(subject.subject, 'shared.*\".*shared')
114 or regex.icontains(subject.subject, 'shared.*\".*protected')
115 or regex.icontains(subject.subject, 'shared.*\".*\.docx?\.pdf')
116 or regex.icontains(subject.subject, 'shared.*\".*\.docx?\.paper')
117 // all caps filename allowing for numbers, punct and spaces, and an optional file extenstion
118 or regex.contains(subject.subject,
119 'shared \"[A-Z0-9[:punct:]\s]+(?:\.[a-zA-Z]{3,5})\"'
120 )
121 or regex.icontains(subject.subject,
122 'shared \".*(?:shared|sent).*\" with you'
123 )
124
125 // MFA theme
126 or regex.icontains(subject.subject, 'shared.*\".*Verification Code')
127 or regex.icontains(subject.subject, 'shared.*\".*\bMFA\b')
128
129 // the reply-to address is within the subject
130 or any(headers.reply_to,
131 strings.icontains(subject.subject, .email.domain.domain)
132 )
133 )
134 )
135
136attack_types:
137 - "Callback Phishing"
138 - "BEC/Fraud"
139tactics_and_techniques:
140 - "Evasion"
141 - "Social engineering"
142detection_methods:
143 - "Sender analysis"
144 - "Header analysis"
145 - "Content analysis"
146id: "27007c9f-e738-584f-8b49-74710f9ef9a6"