Deceptive Dropbox mention

calendar Aug 5, 2025  ·
Share on: linkedin copy

Detects when a message mentions Dropbox but comes from non-Dropbox infrastructure, contains links to suspicious domains, shows discrepancies in sender identity, and contains language patterns associated with credential theft.

Sublime rule (View on GitHub)

 1name: "Deceptive Dropbox mention"
 2description: "Detects when a message mentions Dropbox but comes from non-Dropbox infrastructure, contains links to suspicious domains, shows discrepancies in sender identity, and contains language patterns associated with credential theft."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.icontains(body.current_thread.text, 'dropbox')
 8  and any(beta.ml_topic(coalesce(body.html.display_text, body.current_thread.text)).topics, .name == "File Sharing and Cloud Services" and .confidence != "low")
 9  
10  // Email address discrepancy detection - looking for matches in the domain name from the sender but not the current thread proposed sender name
11  and any(regex.iextract(body.current_thread.text,
12                     '(?P<whole_email>(?P<local_part>[a-zA-Z0-9._%-]+)@(?P<domain_name>[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}))'
13                    ),
14      strings.parse_email(.named_groups["whole_email"]).domain.domain == sender.email.domain.domain
15      and strings.parse_email(.named_groups["whole_email"]).local_part != sender.email.local_part
16      and not strings.parse_email(.named_groups["whole_email"]).email in~ map(filter(recipients.to, .email.domain.valid), .email.email)
17  )
18  
19  // Not from legitimate Dropbox infrastructure
20  and sender.email.domain.root_domain not in~ (
21    'dropbox.com',
22    'docsend.com',
23    'box.com',
24    'wetransfer.com',
25    // tuning: exlude hellosign emails that are covered in another rule
26    'hellosign.com'
27  )
28  
29  // Contains suspicious links to non-Dropbox/file-sharing domains
30  and any(body.links,
31          (.href_url.domain.root_domain in~ $free_subdomain_hosts
32          or .href_url.domain.root_domain in~ $free_file_hosts)
33          and .href_url.domain.valid
34  )
35  
36  // ML indicates potential credential theft
37  and any(ml.nlu_classifier(body.current_thread.text).intents,
38          .name == "cred_theft" and .confidence != "low"
39  )  
40
41attack_types:
42  - "Credential Phishing"
43tactics_and_techniques:
44  - "Impersonation: Brand"
45  - "Free file host"
46  - "Free subdomain host"
47  - "Social engineering"
48detection_methods:
49  - "Header analysis"
50  - "Content analysis"
51  - "Natural Language Understanding"
52  - "Sender analysis"
53  - "URL analysis"
54id: "58a107bc-dd68-5fdd-9813-4a05411aafd9"
to-top