Service Abuse: Dropbox Share From an Unsolicited Reply-To Address

calendar Dec 18, 2024 · Attack surface reduction  ·
Share on: linkedin copy

This rule detects Dropbox share notifications which contain a reply-to address or domain that has not been previously observed sending messages to or receiving messages from the recipient organization.

Sublime rule (View on GitHub)

 1name: "Service Abuse: Dropbox Share From an Unsolicited Reply-To Address"
 2description: "This rule detects Dropbox share notifications which contain a reply-to address or domain that has not been previously observed sending messages to or receiving messages from the recipient organization."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Legitimate Dropbox sending infratructure
 9  and sender.email.email == "no-reply@dropbox.com"
10  and headers.auth_summary.spf.pass
11  and headers.auth_summary.dmarc.pass
12  and strings.ends_with(headers.auth_summary.spf.details.designator,
13                        '.dropbox.com'
14  )
15  and strings.icontains(subject.subject, 'shared')
16  and strings.icontains(subject.subject, 'with you')
17  
18  and length(headers.reply_to) > 0
19  // reply-to email address has never been sent an email by the org
20  and not (
21    any(headers.reply_to, .email.email in $recipient_emails)
22    // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains
23    or any(filter(headers.reply_to,
24                  // filter the list to only emails that are not in free_email_providers
25                  (
26                    .email.domain.domain not in $free_email_providers
27                    or .email.domain.root_domain not in $free_email_providers
28                  )
29           ),
30           .email.domain.domain in $recipient_domains
31    )
32  )
33  // reply-to address has never sent an email to the org
34  and not (
35    any(headers.reply_to, .email.email in $sender_emails)
36    // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains
37    or any(filter(headers.reply_to,
38                  // filter the list to only emails that are not in free_email_providers
39                  (
40                    .email.domain.domain not in $free_email_providers
41                    or .email.domain.root_domain not in $free_email_providers
42                  )
43           ),
44           .email.domain.domain in $sender_domains
45    )
46  )  
47tags:
48 - "Attack surface reduction"
49attack_types:
50  - "Callback Phishing"
51  - "BEC/Fraud"
52tactics_and_techniques:
53  - "Evasion"
54  - "Social engineering"
55detection_methods:
56  - "Sender analysis"
57  - "Header analysis"
58  - "Content analysis"
59id: "50a1499f-bb59-5ee0-b4f4-e3cc84a5c41e"

Related rules

to-top