Brand impersonation: Dropbox

Impersonation of Dropbox, a file sharing service.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Dropbox"
 2description: |
 3    Impersonation of Dropbox, a file sharing service.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    strings.ilike(sender.display_name, '*dropbox*')
10    or strings.ilevenshtein(sender.display_name, 'dropbox') <= 1
11    or strings.ilike(sender.email.domain.domain, '*dropbox*')
12    or any(body.links,
13           .display_url.domain.root_domain == "dropbox.com"
14           and .mismatched
15           and not .href_url.domain.root_domain in (
16             "mimecast.com",
17             "mimecastprotect.com"
18           )
19    )
20    or regex.icontains(body.current_thread.text,
21                       'invited you to view the file ".*" on Dropbox'
22    )
23  )
24  and sender.email.domain.root_domain not in~ (
25    'dropbox.com',
26    'dropboxforum.com',
27    'dropboxsign.com'
28  )
29  and (
30    any(attachments,
31        .file_type in $file_types_images
32        and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*dropbox*"))
33    )
34    or any(body.links,
35           strings.ilike(.display_text,
36                         "*review*",
37                         "*sign*",
38                         "*view*",
39                         "*completed document*",
40                         "*open agreement*",
41                         "*open document*",
42                         "*open file*"
43           )
44           and not strings.ilike(.display_text, "*view this email in*")
45           and .href_url.domain.root_domain != "dropbox.com"
46           and any(ml.nlu_classifier(body.current_thread.text).intents,
47                   .name == "cred_theft" and .confidence in ("medium", "high")
48           )
49    )
50    or (
51      length(ml.logo_detect(file.message_screenshot()).brands) != 0
52      and all(ml.logo_detect(file.message_screenshot()).brands,
53              .name == "Dropbox"
54      )
55    )
56  )
57  and sender.email.email not in $recipient_emails
58  
59  // negate dropbox fax (aka hellofax)
60  and not sender.email.domain.root_domain == 'hellofax.com'
61  
62  // negate highly trusted sender domains unless they fail DMARC authentication
63  and (
64    (
65      sender.email.domain.root_domain in $high_trust_sender_root_domains
66      and not headers.auth_summary.dmarc.pass
67    )
68    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
69  )  
70
71attack_types:
72  - "Credential Phishing"
73tactics_and_techniques:
74  - "Impersonation: Brand"
75  - "Social engineering"
76detection_methods:
77  - "Content analysis"
78  - "File analysis"
79  - "Header analysis"
80  - "Sender analysis"
81id: "61f11d12-7033-53c9-a95a-df982ff31c4b"
to-top