Brand impersonation: Dropbox
Impersonation of Dropbox, a file sharing service.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Dropbox"
2description: |
3 Impersonation of Dropbox, a file sharing service.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and (
9 strings.ilike(sender.display_name, '*dropbox*')
10 or strings.ilevenshtein(sender.display_name, 'dropbox') <= 1
11 or strings.ilike(sender.email.domain.domain, '*dropbox*')
12 or any(body.links,
13 .display_url.domain.root_domain == "dropbox.com"
14 and .mismatched
15 and not .href_url.domain.root_domain in (
16 "mimecast.com",
17 "mimecastprotect.com"
18 )
19 )
20 or regex.icontains(body.current_thread.text,
21 'invited you to view the file ".*" on Dropbox',
22 'dr[o0]pb[o0]x.{0,20}share.{0,20}f[i1|][i1|l]es?',
23 'dropbox sign (?:account|team)'
24 )
25 // dropbox style button
26 or length(html.xpath(body.html,
27 "//a[contains(@style, 'background-color: #0070e0') and contains(@style, 'color: white') and contains(@style, 'width: 210px') and contains(@style, 'max-width: 210px') and contains(@style, 'border-radius: 4px') and contains(@style, 'text-align: center') and contains(@style, 'font-size: 15px')]"
28 ).nodes
29 ) == 1
30 or any(attachments,
31 .file_type not in $file_types_images
32 and regex.icontains(.file_name, 'dr[o0]pb[o0]x')
33 )
34 )
35 and sender.email.domain.root_domain not in~ (
36 'dropbox.com',
37 'dropboxforum.com',
38 'dropboxsign.com'
39 )
40 and (
41 any(attachments,
42 .file_type in $file_types_images
43 and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*dropbox*"))
44 )
45 or any(body.links,
46 (
47 (
48 strings.ilike(.display_text,
49 "*review*",
50 "*sign*",
51 "*view*",
52 "*completed document*",
53 "*open agreement*",
54 "*open document*",
55 "*open file*"
56 )
57 and not strings.ilike(.display_text, "*view this email in*")
58 )
59 or (
60 .display_text is null
61 and .href_url.domain.root_domain in $free_file_hosts
62 )
63 )
64 and (
65 .href_url.domain.root_domain != "dropbox.com"
66 and any(ml.nlu_classifier(body.current_thread.text).intents,
67 .name == "cred_theft" and .confidence in ("medium", "high")
68 )
69 )
70 )
71 or (
72 length(ml.logo_detect(file.message_screenshot()).brands) != 0
73 and all(ml.logo_detect(file.message_screenshot()).brands,
74 .name == "Dropbox"
75 )
76 )
77 or (
78 any(attachments,
79 .file_type not in $file_types_images
80 and regex.icontains(.file_name, 'dr[o0]pb[o0]x')
81 )
82 and any(ml.nlu_classifier(body.current_thread.text).intents,
83 .name == "cred_theft" and .confidence != "low"
84 )
85 )
86 )
87 and sender.email.email not in $recipient_emails
88
89 // negate dropbox fax (aka hellofax)
90 and not sender.email.domain.root_domain == 'hellofax.com'
91
92 // negate iCloud Private Message Relay
93 and not (
94 sender.email.domain.domain == "privaterelay.appleid.com"
95 or any(headers.hops, any(.fields, .name == "X-ICLOUD-HME"))
96 )
97
98 // negate highly trusted sender domains unless they fail DMARC authentication
99 and (
100 (
101 sender.email.domain.root_domain in $high_trust_sender_root_domains
102 and not headers.auth_summary.dmarc.pass
103 )
104 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
105 )
106
107attack_types:
108 - "Credential Phishing"
109tactics_and_techniques:
110 - "Impersonation: Brand"
111 - "Social engineering"
112detection_methods:
113 - "Content analysis"
114 - "File analysis"
115 - "Header analysis"
116 - "Sender analysis"
117id: "61f11d12-7033-53c9-a95a-df982ff31c4b"