Service abuse: Dropbox share with suspicious sender or document name
The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name.
Sublime rule (View on GitHub)
1name: "Service abuse: Dropbox share with suspicious sender or document name"
2description: "The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 // Legitimate Dropbox sending infratructure
9 and sender.email.email == "no-reply@dropbox.com"
10 and headers.auth_summary.spf.pass
11 and headers.auth_summary.dmarc.pass
12 and strings.ends_with(headers.auth_summary.spf.details.designator,
13 '.dropbox.com'
14 )
15 and strings.icontains(subject.subject, 'shared')
16 and strings.icontains(subject.subject, 'with you')
17 and (
18 // contains the word dropbox
19 // everything not "shared" and "with you" is actor controlled
20 strings.icontains(subject.subject, 'dropbox')
21 or strings.icontains(subject.subject, 'sharefile')
22
23 // sender names part of the subject
24 or (
25 // Billing Accounting
26 regex.icontains(subject.subject,
27 'Accounts? (?:Payable|Receivable).*shared',
28 'Billing Support.*shared'
29 )
30
31 // HR/Payroll/Legal/etc
32 or regex.icontains(subject.subject, 'Compliance HR.*shared')
33 or regex.icontains(subject.subject,
34 '(?:Compliance|Executive|Finance|\bHR\b|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*shared'
35 )
36 or regex.icontains(subject.subject, '(?:Department|Team).*shared')
37 or regex.icontains(subject.subject, 'Corporate Communications.*shared')
38 or regex.icontains(subject.subject, 'Employee Relations.*shared')
39 or regex.icontains(subject.subject, 'Office Manager.*shared')
40 or regex.icontains(subject.subject, 'Risk Management.*shared')
41 or regex.icontains(subject.subject, 'Payroll Admin(?:istrator).*shared')
42 or regex.icontains(subject.subject, 'Human Resources.*shared')
43 or regex.icontains(subject.subject, 'HR.*shared')
44
45 // IT related
46 or regex.icontains(subject.subject,
47 'IT Support.*shared',
48 'Information Technology.*shared',
49 '(?:Network|System)? Admin(?:istrator).*shared',
50 'Help Desk.*shared',
51 'Tech(?:nical) Support.*shared'
52 )
53
54 // an email address in the subject is also interesting
55 or regex.icontains(subject.subject, '\w+@\w+\.\w+.*shared')
56 )
57 // filename analysis
58 // the filename is also contianed in the subject line
59 or (
60 // untitled.paper
61 regex.icontains(subject.subject, 'shared.*\"Untitled.paper')
62 // scanner themed
63 or regex.icontains(subject.subject, 'shared.*\".*scanne[rd]')
64 // image theme
65 or regex.icontains(subject.subject, 'shared.*\".*_IMG_')
66 or regex.icontains(subject.subject, 'shared.*\".*IMG[_-](?:\d|\W)+\"')
67 // ondrive theme
68 or regex.icontains(subject.subject, 'shared.*\".*one_docx')
69 or regex.icontains(subject.subject, 'shared.*\".*One.?Drive')
70 or regex.icontains(subject.subject, 'shared.*\".*click here')
71 or regex.icontains(subject.subject, 'shared.*\".*Download PDF')
72 or regex.icontains(subject.subject, 'shared.*\".*Validate')
73
74 // Invoice Themes
75 or regex.icontains(subject.subject, 'shared.*\".*Invoice')
76 or regex.icontains(subject.subject, 'shared.*\".*INV\b')
77 or regex.icontains(subject.subject, 'shared.*\".*Payment')
78 or regex.icontains(subject.subject, 'shared.*\".*ACH')
79 or regex.icontains(subject.subject, 'shared.*\".*Wire Confirmation')
80 or regex.icontains(subject.subject, 'shared.*\".*P[O0]\W+?\d+\"')
81 or regex.icontains(subject.subject, 'shared.*\"P[O0](?:\W+?|\d+)')
82 or regex.icontains(subject.subject, 'shared.*\".*receipt')
83 or regex.icontains(subject.subject, 'shared.*\".*Billing')
84 or regex.icontains(subject.subject, 'shared.*\".*statement')
85 or regex.icontains(subject.subject, 'shared.*\".*Past Due')
86 or regex.icontains(subject.subject, 'shared.*\".*Remit(?:tance)?')
87 or regex.icontains(subject.subject, 'shared.*\".*Purchase Order')
88 or regex.icontains(subject.subject, 'shared.*\".*Settlement')
89
90 // contract language
91 or regex.icontains(subject.subject, 'shared.*\".*Contract Agreement')
92 or regex.icontains(subject.subject, 'shared.*\".*Pr[0o]p[0o]sal')
93 or regex.icontains(subject.subject, 'shared.*\".*Contract Doc')
94 or regex.icontains(subject.subject, 'shared.*\".*Claim Doc')
95
96 // Payroll/HR
97 // section also used in link_sharepoint_sus_name.yml with modified input
98 or regex.icontains(subject.subject, 'shared.*\".*Payroll')
99 or regex.icontains(subject.subject, 'shared.*\".*Employee Pay\b')
100 or regex.icontains(subject.subject, 'shared.*\".*Salary')
101 or regex.icontains(subject.subject, 'shared.*\".*Benefit Enrollment')
102 or regex.icontains(subject.subject, 'shared.*\".*Employee Handbook')
103 or regex.icontains(subject.subject, 'shared.*\".*Reimbursement Approved')
104 or regex.icontains(subject.subject,
105 'shared.*\".*(?:Faculty|Staff)\s*(?:\w+\s+){0,3}\s*Eval(?:uation)?'
106 )
107
108 // shared files/extenstion
109 or regex.icontains(subject.subject, 'shared.*\".*Shared.?File')
110 or regex.icontains(subject.subject, 'shared.*\".*Urgent')
111 or regex.icontains(subject.subject, 'shared.*\".*Important')
112 or regex.icontains(subject.subject, 'shared.*\".*Secure')
113 or regex.icontains(subject.subject, 'shared.*\".*Encrypt')
114 or regex.icontains(subject.subject, 'shared.*\".*shared')
115 or regex.icontains(subject.subject, 'shared.*\".*protected')
116 or regex.icontains(subject.subject, 'shared.*\".*\.docx?\.pdf')
117 or regex.icontains(subject.subject, 'shared.*\".*\.docx?\.paper')
118 // all caps filename allowing for numbers, punct and spaces, and an optional file extenstion
119 or regex.contains(subject.subject,
120 'shared \"[A-Z0-9[:punct:]\s]+(?:\.[a-zA-Z]{3,5})\"'
121 )
122 or regex.icontains(subject.subject,
123 'shared \".*(?:shared|sent).*\" with you'
124 )
125
126 // MFA theme
127 or regex.icontains(subject.subject, 'shared.*\".*Verification Code')
128 or regex.icontains(subject.subject, 'shared.*\".*\bMFA\b')
129
130 // the reply-to address is within the subject
131 or any(headers.reply_to,
132 strings.icontains(subject.subject, .email.domain.domain)
133 )
134 )
135 )
136attack_types:
137 - "Callback Phishing"
138 - "BEC/Fraud"
139tactics_and_techniques:
140 - "Evasion"
141 - "Social engineering"
142detection_methods:
143 - "Sender analysis"
144 - "Header analysis"
145 - "Content analysis"
146id: "27007c9f-e738-584f-8b49-74710f9ef9a6"