Brand impersonation: Dropbox

calendar Dec 10, 2025  ยท
Share on: linkedin copy

Impersonation of Dropbox, a file sharing service.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Dropbox"
 2description: |
 3    Impersonation of Dropbox, a file sharing service.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    strings.ilike(sender.display_name, '*dropbox*')
10    or strings.ilevenshtein(sender.display_name, 'dropbox') <= 1
11    or strings.ilike(sender.email.domain.domain, '*dropbox*')
12    or any(body.links,
13           .display_url.domain.root_domain == "dropbox.com"
14           and .mismatched
15           and not .href_url.domain.root_domain in (
16             "mimecast.com",
17             "mimecastprotect.com"
18           )
19    )
20    or regex.icontains(body.current_thread.text,
21                       'invited you to view the file ".*" on Dropbox',
22                       'dr[o0]pb[o0]x.{0,20}share.{0,20}f[i1|][i1|l]es?'
23    )
24  )
25  and sender.email.domain.root_domain not in~ (
26    'dropbox.com',
27    'dropboxforum.com',
28    'dropboxsign.com'
29  )
30  and (
31    any(attachments,
32        .file_type in $file_types_images
33        and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*dropbox*"))
34    )
35    or any(body.links,
36           (
37             (
38               strings.ilike(.display_text,
39                             "*review*",
40                             "*sign*",
41                             "*view*",
42                             "*completed document*",
43                             "*open agreement*",
44                             "*open document*",
45                             "*open file*"
46               )
47               and not strings.ilike(.display_text, "*view this email in*")
48             )
49             or (
50               .display_text is null
51               and .href_url.domain.root_domain in $free_file_hosts
52             )
53           )
54           and .href_url.domain.root_domain != "dropbox.com"
55           and any(ml.nlu_classifier(body.current_thread.text).intents,
56                   .name == "cred_theft" and .confidence in ("medium", "high")
57           )
58    )
59    or (
60      length(ml.logo_detect(file.message_screenshot()).brands) != 0
61      and all(ml.logo_detect(file.message_screenshot()).brands,
62              .name == "Dropbox"
63      )
64    )
65  )
66  and sender.email.email not in $recipient_emails
67  
68  // negate dropbox fax (aka hellofax)
69  and not sender.email.domain.root_domain == 'hellofax.com'
70  
71  // negate iCloud Private Message Relay
72  and not (
73    sender.email.domain.root_domain == "privaterelay.appleid.com"
74    or any(headers.hops, any(.fields, .name == "X-ICLOUD-HME"))
75  )
76  
77  // negate highly trusted sender domains unless they fail DMARC authentication
78  and (
79    (
80      sender.email.domain.root_domain in $high_trust_sender_root_domains
81      and not headers.auth_summary.dmarc.pass
82    )
83    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
84  )  
85
86attack_types:
87  - "Credential Phishing"
88tactics_and_techniques:
89  - "Impersonation: Brand"
90  - "Social engineering"
91detection_methods:
92  - "Content analysis"
93  - "File analysis"
94  - "Header analysis"
95  - "Sender analysis"
96id: "61f11d12-7033-53c9-a95a-df982ff31c4b"
to-top