Brand impersonation: Dropbox

 1name: "Brand impersonation: Dropbox"
 2description: |
 3    Impersonation of Dropbox, a file sharing service.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    strings.ilike(sender.display_name, '*dropbox*')
10    or strings.ilevenshtein(sender.display_name, 'dropbox') <= 1
11    or strings.ilike(sender.email.domain.domain, '*dropbox*')
12  )
13  and sender.email.domain.root_domain !~ 'dropbox.com'
14  and (
15    any(attachments,
16        .file_type in $file_types_images
17        and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*dropbox*"))
18    )
19    or any(body.links,
20           strings.ilike(.display_text,
21                         "*review*",
22                         "*sign*",
23                         "*view*",
24                         "*completed document*",
25                         "*open agreement*",
26                         "*open document*"
27           )
28           and not strings.ilike(.display_text, "*view this email in*")
29           and .href_url.domain.root_domain != "dropbox.com"
30           and any(ml.nlu_classifier(body.current_thread.text).intents,
31                   .name == "cred_theft" and .confidence in ("medium", "high")
32           )
33    )
34  )
35  and sender.email.email not in $recipient_emails
36
37  // negate highly trusted sender domains unless they fail DMARC authentication
38  and (
39    (
40      sender.email.domain.root_domain in $high_trust_sender_root_domains
41      and not headers.auth_summary.dmarc.pass
42    )
43    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
44  )  
45
46attack_types:
47  - "Credential Phishing"
48tactics_and_techniques:
49  - "Impersonation: Brand"
50  - "Social engineering"
51detection_methods:
52  - "Content analysis"
53  - "File analysis"
54  - "Header analysis"
55  - "Sender analysis"
56id: "61f11d12-7033-53c9-a95a-df982ff31c4b"