Deceptive Dropbox mention

calendar Jan 12, 2026  ·
Share on: linkedin copy

Detects when a message mentions Dropbox but comes from non-Dropbox infrastructure, contains links to suspicious domains, shows discrepancies in sender identity, and contains language patterns associated with credential theft.

Sublime rule (View on GitHub)

 1name: "Deceptive Dropbox mention"
 2description: "Detects when a message mentions Dropbox but comes from non-Dropbox infrastructure, contains links to suspicious domains, shows discrepancies in sender identity, and contains language patterns associated with credential theft."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.icontains(body.current_thread.text, 'dropbox')
 8  and any(beta.ml_topic(coalesce(body.html.display_text, body.current_thread.text)
 9          ).topics,
10          .name == "File Sharing and Cloud Services" and .confidence != "low"
11  )
12  and (
13    // Email address discrepancy detection - looking for matches in the domain name from the sender but not the current thread proposed sender name
14    any(regex.iextract(body.current_thread.text,
15                       '(?P<whole_email>(?P<local_part>[a-zA-Z0-9._%-]+)@(?P<domain_name>[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}))'
16        ),
17        strings.parse_email(.named_groups["whole_email"]).domain.domain == sender.email.domain.domain
18        and strings.parse_email(.named_groups["whole_email"]).local_part != sender.email.local_part
19        and not strings.parse_email(.named_groups["whole_email"]).email in~ map(filter(recipients.to,
20                                                                                       .email.domain.valid
21                                                                                ),
22                                                                                .email.email
23        )
24    )
25    // self sender
26    or (
27      length(recipients.to) == 1
28      and sender.email.email == recipients.to[0].email.email
29    )
30  )
31  
32  // Not from legitimate Dropbox infrastructure
33  and sender.email.domain.root_domain not in~ (
34    'dropbox.com',
35    'docsend.com',
36    'box.com',
37    'wetransfer.com',
38    // tuning: exlude hellosign emails that are covered in another rule
39    'hellosign.com'
40  )
41  
42  // Contains suspicious links to non-Dropbox/file-sharing domains
43  and any(body.links,
44          (
45            .href_url.domain.root_domain in~ $free_subdomain_hosts
46            or .href_url.domain.root_domain in~ $free_file_hosts
47          )
48          and .href_url.domain.valid
49  )
50  
51  // ML indicates potential credential theft
52  and any(ml.nlu_classifier(body.current_thread.text).intents,
53          .name == "cred_theft" and .confidence != "low"
54  )  
55attack_types:
56  - "Credential Phishing"
57tactics_and_techniques:
58  - "Impersonation: Brand"
59  - "Free file host"
60  - "Free subdomain host"
61  - "Social engineering"
62detection_methods:
63  - "Header analysis"
64  - "Content analysis"
65  - "Natural Language Understanding"
66  - "Sender analysis"
67  - "URL analysis"
68id: "58a107bc-dd68-5fdd-9813-4a05411aafd9"
to-top