Brand impersonation: Dropbox
Impersonation of Dropbox, a file sharing service.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Dropbox"
2description: |
3 Impersonation of Dropbox, a file sharing service.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and (
9 strings.ilike(sender.display_name, '*dropbox*')
10 or strings.ilevenshtein(sender.display_name, 'dropbox') <= 1
11 or strings.ilike(sender.email.domain.domain, '*dropbox*')
12 or any(body.links,
13 .display_url.domain.root_domain == "dropbox.com"
14 and .mismatched
15 and not .href_url.domain.root_domain in (
16 "mimecast.com",
17 "mimecastprotect.com"
18 )
19 )
20 or regex.icontains(body.current_thread.text,
21 'invited you to view the file ".*" on Dropbox'
22 )
23 )
24 and sender.email.domain.root_domain not in~ (
25 'dropbox.com',
26 'dropboxforum.com',
27 'dropboxsign.com'
28 )
29 and (
30 any(attachments,
31 .file_type in $file_types_images
32 and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*dropbox*"))
33 )
34 or any(body.links,
35 strings.ilike(.display_text,
36 "*review*",
37 "*sign*",
38 "*view*",
39 "*completed document*",
40 "*open agreement*",
41 "*open document*",
42 "*open file*"
43 )
44 and not strings.ilike(.display_text, "*view this email in*")
45 and .href_url.domain.root_domain != "dropbox.com"
46 and any(ml.nlu_classifier(body.current_thread.text).intents,
47 .name == "cred_theft" and .confidence in ("medium", "high")
48 )
49 )
50 or (
51 length(ml.logo_detect(file.message_screenshot()).brands) != 0
52 and all(ml.logo_detect(file.message_screenshot()).brands,
53 .name == "Dropbox"
54 )
55 )
56 )
57 and sender.email.email not in $recipient_emails
58
59 // negate dropbox fax (aka hellofax)
60 and not sender.email.domain.root_domain == 'hellofax.com'
61
62 // negate iCloud Private Message Relay
63 and not (
64 sender.email.domain.root_domain == "privaterelay.appleid.com"
65 or any(headers.hops, any(.fields, .name == "X-ICLOUD-HME"))
66 )
67
68 // negate highly trusted sender domains unless they fail DMARC authentication
69 and (
70 (
71 sender.email.domain.root_domain in $high_trust_sender_root_domains
72 and not headers.auth_summary.dmarc.pass
73 )
74 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
75 )
76
77attack_types:
78 - "Credential Phishing"
79tactics_and_techniques:
80 - "Impersonation: Brand"
81 - "Social engineering"
82detection_methods:
83 - "Content analysis"
84 - "File analysis"
85 - "Header analysis"
86 - "Sender analysis"
87id: "61f11d12-7033-53c9-a95a-df982ff31c4b"