Service Abuse: Dropbox Share From an Unsolicited Reply-To Address

 1name: "Service Abuse: Dropbox Share From an Unsolicited Reply-To Address"
 2description: "This rule detects Dropbox share notifications which contain a reply-to address or domain that has not been previously observed sending messages to or receiving messages from the recipient organization."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Legitimate Dropbox sending infratructure
 9  and sender.email.email == "no-reply@dropbox.com"
10  and headers.auth_summary.spf.pass
11  and headers.auth_summary.dmarc.pass
12  and strings.ends_with(headers.auth_summary.spf.details.designator,
13                        '.dropbox.com'
14  )
15  and strings.icontains(subject.subject, 'shared')
16  and strings.icontains(subject.subject, 'with you')
17  
18  //
19  // This rule makes use of a beta feature and is subject to change without notice
20  // using the beta feature in custom rules is not suggested until it has been formally released
21  //
22  
23  // reply-to address has never sent an email to the org
24  and beta.profile.by_reply_to().prevalence == "new"
25  
26  // reply-to email address has never been sent an email by the org
27  and not beta.profile.by_reply_to().solicited
28
29  // do not match if the reply_to address has been observed as a reply_to address
30  // of a message that has been classified as benign
31  and not beta.profile.by_reply_to().any_messages_benign
32    
33tags:
34 - "Attack surface reduction"
35attack_types:
36  - "Callback Phishing"
37  - "BEC/Fraud"
38tactics_and_techniques:
39  - "Evasion"
40  - "Social engineering"
41detection_methods:
42  - "Sender analysis"
43  - "Header analysis"
44  - "Content analysis"
45id: "50a1499f-bb59-5ee0-b4f4-e3cc84a5c41e"