Brand impersonation: Dropbox

Impersonation of Dropbox, a file sharing service.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Dropbox"
 2description: |
 3    Impersonation of Dropbox, a file sharing service.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    strings.ilike(sender.display_name, '*dropbox*')
10    or strings.ilevenshtein(sender.display_name, 'dropbox') <= 1
11    or strings.ilike(sender.email.domain.domain, '*dropbox*')
12    or any(body.links,
13           .display_url.domain.root_domain == "dropbox.com"
14           and .mismatched
15           and not .href_url.domain.root_domain in (
16             "mimecast.com",
17             "mimecastprotect.com"
18           )
19    )
20    or regex.icontains(body.current_thread.text,
21                       'invited you to view the file ".*" on Dropbox'
22    )
23  )
24  and sender.email.domain.root_domain not in~ (
25    'dropbox.com',
26    'dropboxforum.com',
27    'dropboxsign.com'
28  )
29  and (
30    any(attachments,
31        .file_type in $file_types_images
32        and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*dropbox*"))
33    )
34    or any(body.links,
35           strings.ilike(.display_text,
36                         "*review*",
37                         "*sign*",
38                         "*view*",
39                         "*completed document*",
40                         "*open agreement*",
41                         "*open document*",
42                         "*open file*"
43           )
44           and not strings.ilike(.display_text, "*view this email in*")
45           and .href_url.domain.root_domain != "dropbox.com"
46           and any(ml.nlu_classifier(body.current_thread.text).intents,
47                   .name == "cred_theft" and .confidence in ("medium", "high")
48           )
49    )
50    or (
51      length(ml.logo_detect(file.message_screenshot()).brands) != 0
52      and all(ml.logo_detect(file.message_screenshot()).brands,
53              .name == "Dropbox"
54      )
55    )
56  )
57  and sender.email.email not in $recipient_emails
58  
59  // negate dropbox fax (aka hellofax)
60  and not sender.email.domain.root_domain == 'hellofax.com'
61  
62  // negate iCloud Private Message Relay
63  and not (
64    sender.email.domain.root_domain == "privaterelay.appleid.com"
65    or any(headers.hops, any(.fields, .name == "X-ICLOUD-HME"))
66  )
67  
68  // negate highly trusted sender domains unless they fail DMARC authentication
69  and (
70    (
71      sender.email.domain.root_domain in $high_trust_sender_root_domains
72      and not headers.auth_summary.dmarc.pass
73    )
74    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
75  )  
76
77attack_types:
78  - "Credential Phishing"
79tactics_and_techniques:
80  - "Impersonation: Brand"
81  - "Social engineering"
82detection_methods:
83  - "Content analysis"
84  - "File analysis"
85  - "Header analysis"
86  - "Sender analysis"
87id: "61f11d12-7033-53c9-a95a-df982ff31c4b"
to-top