Attachment: Dropbox image lure with no Dropbox domains in links
Detects Dropbox phishing emails with no Dropbox links with image attachments from an untrusted sender.
Sublime rule (View on GitHub)
1name: "Attachment: Dropbox image lure with no Dropbox domains in links"
2description: "Detects Dropbox phishing emails with no Dropbox links with image attachments from an untrusted sender."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(filter(attachments, .file_type not in $file_types_images)) == 0
8 and any(body.links,
9 not strings.ilike(.href_url.domain.root_domain, "dropbox.*")
10 )
11 and any(attachments,
12 .file_type in $file_types_images
13 and any(file.explode(.),
14 strings.ilike(.scan.ocr.raw, "*dropbox*")
15 and strings.ilike(.scan.ocr.raw, "*review*", "*sign*")
16 )
17 )
18 and (
19 not profile.by_sender().solicited
20 or profile.by_sender().any_messages_malicious_or_spam
21 )
22 and not profile.by_sender().any_false_positives
23attack_types:
24 - "Credential Phishing"
25tactics_and_techniques:
26 - "Impersonation: Brand"
27 - "Social engineering"
28detection_methods:
29 - "Content analysis"
30 - "File analysis"
31 - "Header analysis"
32 - "Optical Character Recognition"
33 - "Sender analysis"
34id: "500eee2d-d793-5450-a87f-825ce27c897d"