Brand impersonation: Dropbox

Impersonation of Dropbox, a file sharing service.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Dropbox"
  2description: |
  3    Impersonation of Dropbox, a file sharing service.
  4type: "rule"
  5severity: "medium"
  6source: |
  7  type.inbound
  8  and (
  9    strings.ilike(sender.display_name, '*dropbox*')
 10    or strings.ilevenshtein(sender.display_name, 'dropbox') <= 1
 11    or strings.ilike(sender.email.domain.domain, '*dropbox*')
 12    or any(body.links,
 13           .display_url.domain.root_domain == "dropbox.com"
 14           and .mismatched
 15           and not .href_url.domain.root_domain in (
 16             "mimecast.com",
 17             "mimecastprotect.com"
 18           )
 19    )
 20    or regex.icontains(body.current_thread.text,
 21                       'invited you to view the file ".*" on Dropbox',
 22                       'dr[o0]pb[o0]x.{0,20}share.{0,20}f[i1|][i1|l]es?',
 23                       'dropbox sign (?:account|team)'
 24    )
 25    // dropbox style button
 26    or length(html.xpath(body.html,
 27                         "//a[contains(@style, 'background-color: #0070e0') and contains(@style, 'color: white') and contains(@style, 'width: 210px')  and contains(@style, 'max-width: 210px') and contains(@style, 'border-radius: 4px') and contains(@style, 'text-align: center') and contains(@style, 'font-size: 15px')]"
 28              ).nodes
 29    ) == 1
 30    or any(attachments,
 31           .file_type not in $file_types_images
 32           and regex.icontains(.file_name, 'dr[o0]pb[o0]x')
 33    )
 34  )
 35  and sender.email.domain.root_domain not in~ (
 36    'dropbox.com',
 37    'dropboxforum.com',
 38    'dropboxsign.com'
 39  )
 40  and (
 41    any(attachments,
 42        .file_type in $file_types_images
 43        and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*dropbox*"))
 44    )
 45    or any(body.links,
 46           (
 47             (
 48               strings.ilike(.display_text,
 49                             "*review*",
 50                             "*sign*",
 51                             "*view*",
 52                             "*completed document*",
 53                             "*open agreement*",
 54                             "*open document*",
 55                             "*open file*"
 56               )
 57               and not strings.ilike(.display_text, "*view this email in*")
 58             )
 59             or (
 60               .display_text is null
 61               and .href_url.domain.root_domain in $free_file_hosts
 62             )
 63           )
 64           and (
 65             .href_url.domain.root_domain != "dropbox.com"
 66             and any(ml.nlu_classifier(body.current_thread.text).intents,
 67                     .name == "cred_theft" and .confidence in ("medium", "high")
 68             )
 69           )
 70    )
 71    or (
 72      length(ml.logo_detect(file.message_screenshot()).brands) != 0
 73      and all(ml.logo_detect(file.message_screenshot()).brands,
 74              .name == "Dropbox"
 75      )
 76    )
 77    or (
 78      any(attachments,
 79          .file_type not in $file_types_images
 80          and regex.icontains(.file_name, 'dr[o0]pb[o0]x')
 81      )
 82      and any(ml.nlu_classifier(body.current_thread.text).intents,
 83              .name == "cred_theft" and .confidence != "low"
 84      )
 85    )
 86  )
 87  and sender.email.email not in $recipient_emails
 88  
 89  // negate dropbox fax (aka hellofax)
 90  and not sender.email.domain.root_domain == 'hellofax.com'
 91  
 92  // negate iCloud Private Message Relay
 93  and not (
 94    sender.email.domain.domain == "privaterelay.appleid.com"
 95    or any(headers.hops, any(.fields, .name == "X-ICLOUD-HME"))
 96  )
 97  
 98  // negate highly trusted sender domains unless they fail DMARC authentication
 99  and (
100    (
101      sender.email.domain.root_domain in $high_trust_sender_root_domains
102      and not headers.auth_summary.dmarc.pass
103    )
104    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
105  )  
106
107attack_types:
108  - "Credential Phishing"
109tactics_and_techniques:
110  - "Impersonation: Brand"
111  - "Social engineering"
112detection_methods:
113  - "Content analysis"
114  - "File analysis"
115  - "Header analysis"
116  - "Sender analysis"
117id: "61f11d12-7033-53c9-a95a-df982ff31c4b"
to-top