Brand impersonation: Dropbox
Impersonation of Dropbox, a file sharing service.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Dropbox"
2description: |
3 Impersonation of Dropbox, a file sharing service.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and (
9 strings.ilike(sender.display_name, '*dropbox*')
10 or strings.ilevenshtein(sender.display_name, 'dropbox') <= 1
11 or strings.ilike(sender.email.domain.domain, '*dropbox*')
12 or any(body.links,
13 .display_url.domain.root_domain == "dropbox.com"
14 and .mismatched
15 and not .href_url.domain.root_domain in ("mimecast.com", "mimecastprotect.com")
16 )
17 )
18 and sender.email.domain.root_domain !~ 'dropbox.com'
19 and (
20 any(attachments,
21 .file_type in $file_types_images
22 and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*dropbox*"))
23 )
24 or any(body.links,
25 strings.ilike(.display_text,
26 "*review*",
27 "*sign*",
28 "*view*",
29 "*completed document*",
30 "*open agreement*",
31 "*open document*"
32 )
33 and not strings.ilike(.display_text, "*view this email in*")
34 and .href_url.domain.root_domain != "dropbox.com"
35 and any(ml.nlu_classifier(body.current_thread.text).intents,
36 .name == "cred_theft" and .confidence in ("medium", "high")
37 )
38 )
39 )
40 and sender.email.email not in $recipient_emails
41
42 // negate dropbox fax (aka hellofax)
43
44 and not sender.email.domain.root_domain == 'hellofax.com'
45
46 // negate highly trusted sender domains unless they fail DMARC authentication
47 and (
48 (
49 sender.email.domain.root_domain in $high_trust_sender_root_domains
50 and not headers.auth_summary.dmarc.pass
51 )
52 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
53 )
54
55attack_types:
56 - "Credential Phishing"
57tactics_and_techniques:
58 - "Impersonation: Brand"
59 - "Social engineering"
60detection_methods:
61 - "Content analysis"
62 - "File analysis"
63 - "Header analysis"
64 - "Sender analysis"
65id: "61f11d12-7033-53c9-a95a-df982ff31c4b"