Brand impersonation: Dropbox

Impersonation of Dropbox, a file sharing service.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Dropbox"
 2description: |
 3    Impersonation of Dropbox, a file sharing service.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    strings.ilike(sender.display_name, '*dropbox*')
10    or strings.ilevenshtein(sender.display_name, 'dropbox') <= 1
11    or strings.ilike(sender.email.domain.domain, '*dropbox*')
12    or any(body.links,
13           .display_url.domain.root_domain == "dropbox.com"
14           and .mismatched
15           and not .href_url.domain.root_domain in (
16             "mimecast.com",
17             "mimecastprotect.com"
18           )
19    )
20    or regex.icontains(body.current_thread.text,
21                       'invited you to view the file ".*" on Dropbox'
22    )
23  )
24  and sender.email.domain.root_domain not in~ ('dropbox.com', 'dropboxforum.com')
25  and (
26    any(attachments,
27        .file_type in $file_types_images
28        and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*dropbox*"))
29    )
30    or any(body.links,
31           strings.ilike(.display_text,
32                         "*review*",
33                         "*sign*",
34                         "*view*",
35                         "*completed document*",
36                         "*open agreement*",
37                         "*open document*",
38                         "*open file*"
39           )
40           and not strings.ilike(.display_text, "*view this email in*")
41           and .href_url.domain.root_domain != "dropbox.com"
42           and any(ml.nlu_classifier(body.current_thread.text).intents,
43                   .name == "cred_theft" and .confidence in ("medium", "high")
44           )
45    )
46    or (
47      length(ml.logo_detect(beta.message_screenshot()).brands) != 0
48      and all(ml.logo_detect(beta.message_screenshot()).brands,
49              .name == "Dropbox"
50      )
51    )
52  )
53  and sender.email.email not in $recipient_emails
54  
55  // negate dropbox fax (aka hellofax)
56  and not sender.email.domain.root_domain == 'hellofax.com'
57  
58  // negate highly trusted sender domains unless they fail DMARC authentication
59  and (
60    (
61      sender.email.domain.root_domain in $high_trust_sender_root_domains
62      and not headers.auth_summary.dmarc.pass
63    )
64    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
65  )  
66
67attack_types:
68  - "Credential Phishing"
69tactics_and_techniques:
70  - "Impersonation: Brand"
71  - "Social engineering"
72detection_methods:
73  - "Content analysis"
74  - "File analysis"
75  - "Header analysis"
76  - "Sender analysis"
77id: "61f11d12-7033-53c9-a95a-df982ff31c4b"
to-top