Credential Phishing via Dropbox comment abuse

This rule detects Credential Phishing attacks exploiting familiar brands via Dropbox comments. These attacks originate from legitimate Dropbox infrastructure and attempt to pivot to external freemail addresses.

Sublime rule (View on GitHub)

 1name: "Credential Phishing via Dropbox comment abuse"
 2description: "This rule detects Credential Phishing attacks exploiting familiar brands via Dropbox comments. These attacks originate from legitimate Dropbox infrastructure and attempt to pivot to external freemail addresses."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) == 0
 8  
 9  // Legitimate Dropbox sending infratructure
10  and (
11    sender.email.domain.root_domain in ('dropbox.net', 'dropbox.com')
12    // check for DMARC fail for spoofs
13    and any(distinct(headers.hops, .authentication_results.dmarc is not null),
14            strings.ilike(.authentication_results.dmarc, "pass")
15    )
16  )
17  
18  // Dropbox Logo or text
19  and (
20    any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Dropbox")
21    or strings.contains(body.current_thread.text, "Dropbox")
22  )
23  
24  // Require common brand impersonation
25  and strings.ilike(body.current_thread.text,
26                    "*mcafee*",
27                    "*norton*",
28                    "*geek*squad*",
29                    "*paypal*",
30                    "*ebay*",
31                    "*symantec*",
32                    "*best buy*",
33                    "*lifelock*",
34                    "*geek*support*"
35  )
36  and 3 of (
37    strings.ilike(body.current_thread.text, '*purchase*'),
38    strings.ilike(body.current_thread.text, '*payment*'),
39    strings.ilike(body.current_thread.text, '*transaction*'),
40    strings.ilike(body.current_thread.text, '*subscription*'),
41    strings.ilike(body.current_thread.text, '*antivirus*'),
42    strings.ilike(body.current_thread.text, '*order*'),
43    strings.ilike(body.current_thread.text, '*support*'),
44    strings.ilike(body.current_thread.text, '*help line*'),
45    strings.ilike(body.current_thread.text, '*receipt*'),
46    strings.ilike(body.current_thread.text, '*invoice*'),
47    strings.ilike(body.current_thread.text, '*call*'),
48    strings.ilike(body.current_thread.text, '*cancel*'),
49    strings.ilike(body.current_thread.text, '*renew*'),
50    strings.ilike(body.current_thread.text, '*refund*'),
51    strings.ilike(body.current_thread.text, '*transfer*'),
52    strings.ilike(body.current_thread.text, '*message*')
53  )
54  
55  // there's an email in the body
56  and regex.contains(body.current_thread.text,
57                     "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
58  )
59  
60  // and it's likely a freemail
61  and any($free_email_providers, strings.icontains(body.current_thread.text, .))  
62attack_types:
63  - "Credential Phishing"
64tactics_and_techniques:
65  - "Evasion"
66  - "Out of band pivot"
67  - "Social engineering"
68detection_methods:
69  - "Content analysis"
70  - "Computer Vision"
71  - "Sender analysis"
72
73id: "744d494d-adbf-54fe-8813-2ad7c2c6e245"
to-top