Credential Phishing via Dropbox comment abuse

calendar Apr 23, 2024  ·
Share on: linkedin copy

This rule detects Credential Phishing attacks exploiting familiar brands via Dropbox comments. These attacks originate from legitimate Dropbox infrastructure and attempt to pivot to external freemail addresses.

Sublime rule (View on GitHub)

 1name: "Credential Phishing via Dropbox comment abuse"
 2description: "This rule detects Credential Phishing attacks exploiting familiar brands via Dropbox comments. These attacks originate from legitimate Dropbox infrastructure and attempt to pivot to external freemail addresses."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) == 0
 8  
 9  // Legitimate Dropbox sending infratructure
10  and (
11    sender.email.domain.root_domain in ('dropbox.net', 'dropbox.com')
12    // check for DMARC fail for spoofs
13    and headers.auth_summary.dmarc.pass
14  )
15  
16  // Dropbox Logo or text
17  and (
18    any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Dropbox")
19    or strings.contains(body.current_thread.text, "Dropbox")
20  )
21  
22  // Require common brand impersonation
23  and strings.ilike(body.current_thread.text,
24                    "*mcafee*",
25                    "*norton*",
26                    "*geek*squad*",
27                    "*paypal*",
28                    "*ebay*",
29                    "*symantec*",
30                    "*best buy*",
31                    "*lifelock*",
32                    "*geek*support*"
33  )
34  and 3 of (
35    strings.ilike(body.current_thread.text, '*purchase*'),
36    strings.ilike(body.current_thread.text, '*payment*'),
37    strings.ilike(body.current_thread.text, '*transaction*'),
38    strings.ilike(body.current_thread.text, '*subscription*'),
39    strings.ilike(body.current_thread.text, '*antivirus*'),
40    strings.ilike(body.current_thread.text, '*order*'),
41    strings.ilike(body.current_thread.text, '*support*'),
42    strings.ilike(body.current_thread.text, '*help line*'),
43    strings.ilike(body.current_thread.text, '*receipt*'),
44    strings.ilike(body.current_thread.text, '*invoice*'),
45    strings.ilike(body.current_thread.text, '*call*'),
46    strings.ilike(body.current_thread.text, '*cancel*'),
47    strings.ilike(body.current_thread.text, '*renew*'),
48    strings.ilike(body.current_thread.text, '*refund*'),
49    strings.ilike(body.current_thread.text, '*transfer*'),
50    strings.ilike(body.current_thread.text, '*message*')
51  )
52  
53  // there's an email in the body
54  and regex.contains(body.current_thread.text,
55                     "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
56  )
57  
58  // and it's likely a freemail
59  and any($free_email_providers, strings.icontains(body.current_thread.text, .))  
60attack_types:
61  - "Credential Phishing"
62tactics_and_techniques:
63  - "Evasion"
64  - "Out of band pivot"
65  - "Social engineering"
66detection_methods:
67  - "Content analysis"
68  - "Computer Vision"
69  - "Sender analysis"
70
71id: "744d494d-adbf-54fe-8813-2ad7c2c6e245"
to-top