Brand impersonation: Dropbox

calendar Jan 22, 2026  ยท
Share on: linkedin copy

Impersonation of Dropbox, a file sharing service.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Dropbox"
  2description: |
  3    Impersonation of Dropbox, a file sharing service.
  4type: "rule"
  5severity: "medium"
  6source: |
  7  type.inbound
  8  and (
  9    strings.ilike(sender.display_name, '*dropbox*')
 10    or strings.ilevenshtein(sender.display_name, 'dropbox') <= 1
 11    or strings.ilike(sender.email.domain.domain, '*dropbox*')
 12    or any(body.links,
 13           .display_url.domain.root_domain == "dropbox.com"
 14           and .mismatched
 15           and not .href_url.domain.root_domain in (
 16             "mimecast.com",
 17             "mimecastprotect.com"
 18           )
 19    )
 20    or regex.icontains(body.current_thread.text,
 21                       'invited you to view the file ".*" on Dropbox',
 22                       'dr[o0]pb[o0]x.{0,20}share.{0,20}f[i1|][i1|l]es?'
 23    )
 24    // dropbox style button
 25    or length(html.xpath(body.html,
 26                         "//a[contains(@style, 'background-color: #0070e0') and contains(@style, 'color: white') and contains(@style, 'width: 210px')  and contains(@style, 'max-width: 210px') and contains(@style, 'border-radius: 4px') and contains(@style, 'text-align: center') and contains(@style, 'font-size: 15px')]"
 27              ).nodes
 28    ) == 1
 29  )
 30  and sender.email.domain.root_domain not in~ (
 31    'dropbox.com',
 32    'dropboxforum.com',
 33    'dropboxsign.com'
 34  )
 35  and (
 36    any(attachments,
 37        .file_type in $file_types_images
 38        and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*dropbox*"))
 39    )
 40    or any(body.links,
 41           (
 42             (
 43               strings.ilike(.display_text,
 44                             "*review*",
 45                             "*sign*",
 46                             "*view*",
 47                             "*completed document*",
 48                             "*open agreement*",
 49                             "*open document*",
 50                             "*open file*"
 51               )
 52               and not strings.ilike(.display_text, "*view this email in*")
 53             )
 54             or (
 55               .display_text is null
 56               and .href_url.domain.root_domain in $free_file_hosts
 57             )
 58           )
 59           and .href_url.domain.root_domain != "dropbox.com"
 60           and any(ml.nlu_classifier(body.current_thread.text).intents,
 61                   .name == "cred_theft" and .confidence in ("medium", "high")
 62           )
 63    )
 64    or (
 65      length(ml.logo_detect(file.message_screenshot()).brands) != 0
 66      and all(ml.logo_detect(file.message_screenshot()).brands,
 67              .name == "Dropbox"
 68      )
 69    )
 70  )
 71  and sender.email.email not in $recipient_emails
 72
 73  // negate dropbox fax (aka hellofax)
 74  and not sender.email.domain.root_domain == 'hellofax.com'
 75
 76  // negate iCloud Private Message Relay
 77  and not (
 78    sender.email.domain.root_domain == "privaterelay.appleid.com"
 79    or any(headers.hops, any(.fields, .name == "X-ICLOUD-HME"))
 80  )
 81
 82  // negate highly trusted sender domains unless they fail DMARC authentication
 83  and (
 84    (
 85      sender.email.domain.root_domain in $high_trust_sender_root_domains
 86      and not headers.auth_summary.dmarc.pass
 87    )
 88    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 89  )  
 90attack_types:
 91  - "Credential Phishing"
 92tactics_and_techniques:
 93  - "Impersonation: Brand"
 94  - "Social engineering"
 95detection_methods:
 96  - "Content analysis"
 97  - "File analysis"
 98  - "Header analysis"
 99  - "Sender analysis"
100id: "61f11d12-7033-53c9-a95a-df982ff31c4b"
to-top