Deceptive Dropbox mention

calendar Dec 15, 2025  ·
Share on: linkedin copy

Detects when a message mentions Dropbox but comes from non-Dropbox infrastructure, contains links to suspicious domains, shows discrepancies in sender identity, and contains language patterns associated with credential theft.

Sublime rule (View on GitHub)

 1name: "Deceptive Dropbox mention"
 2description: "Detects when a message mentions Dropbox but comes from non-Dropbox infrastructure, contains links to suspicious domains, shows discrepancies in sender identity, and contains language patterns associated with credential theft."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.icontains(body.current_thread.text, 'dropbox')
 8  and any(beta.ml_topic(coalesce(body.html.display_text, body.current_thread.text)).topics, .name == "File Sharing and Cloud Services" and .confidence != "low")
 9  
10  and (
11    // Email address discrepancy detection - looking for matches in the domain name from the sender but not the current thread proposed sender name
12    any(regex.iextract(body.current_thread.text,
13                     '(?P<whole_email>(?P<local_part>[a-zA-Z0-9._%-]+)@(?P<domain_name>[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}))'
14                    ),
15      strings.parse_email(.named_groups["whole_email"]).domain.domain == sender.email.domain.domain
16      and strings.parse_email(.named_groups["whole_email"]).local_part != sender.email.local_part
17      and not strings.parse_email(.named_groups["whole_email"]).email in~ map(filter(recipients.to, .email.domain.valid), .email.email)
18    )
19    // self sender
20    or (
21      length(recipients.to) == 1
22      and sender.email.email == recipients.to[0].email.email
23    )
24  )
25  
26  // Not from legitimate Dropbox infrastructure
27  and sender.email.domain.root_domain not in~ (
28    'dropbox.com',
29    'docsend.com',
30    'box.com',
31    'wetransfer.com',
32    // tuning: exlude hellosign emails that are covered in another rule
33    'hellosign.com'
34  )
35  
36  // Contains suspicious links to non-Dropbox/file-sharing domains
37  and any(body.links,
38          (.href_url.domain.root_domain in~ $free_subdomain_hosts
39          or .href_url.domain.root_domain in~ $free_file_hosts)
40          and .href_url.domain.valid
41  )
42  
43  // ML indicates potential credential theft
44  and any(ml.nlu_classifier(body.current_thread.text).intents,
45          .name == "cred_theft" and .confidence != "low"
46  )  
47
48attack_types:
49  - "Credential Phishing"
50tactics_and_techniques:
51  - "Impersonation: Brand"
52  - "Free file host"
53  - "Free subdomain host"
54  - "Social engineering"
55detection_methods:
56  - "Header analysis"
57  - "Content analysis"
58  - "Natural Language Understanding"
59  - "Sender analysis"
60  - "URL analysis"
61id: "58a107bc-dd68-5fdd-9813-4a05411aafd9"
to-top