Brand impersonation: Dropbox

Impersonation of Dropbox, a file sharing service.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Dropbox"
 2description: |
 3    Impersonation of Dropbox, a file sharing service.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    strings.ilike(sender.display_name, '*dropbox*')
10    or strings.ilevenshtein(sender.display_name, 'dropbox') <= 1
11    or strings.ilike(sender.email.domain.domain, '*dropbox*')
12    or any(body.links,
13           .display_url.domain.root_domain == "dropbox.com"
14           and .mismatched
15           and not .href_url.domain.root_domain in ("mimecast.com", "mimecastprotect.com")
16    )
17  )
18  and sender.email.domain.root_domain !~ 'dropbox.com'
19  and (
20    any(attachments,
21        .file_type in $file_types_images
22        and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*dropbox*"))
23    )
24    or any(body.links,
25           strings.ilike(.display_text,
26                         "*review*",
27                         "*sign*",
28                         "*view*",
29                         "*completed document*",
30                         "*open agreement*",
31                         "*open document*"
32           )
33           and not strings.ilike(.display_text, "*view this email in*")
34           and .href_url.domain.root_domain != "dropbox.com"
35           and any(ml.nlu_classifier(body.current_thread.text).intents,
36                   .name == "cred_theft" and .confidence in ("medium", "high")
37           )
38    )
39  )
40  and sender.email.email not in $recipient_emails
41
42  // negate dropbox fax (aka hellofax)
43
44  and not sender.email.domain.root_domain == 'hellofax.com'
45
46  // negate highly trusted sender domains unless they fail DMARC authentication
47  and (
48    (
49      sender.email.domain.root_domain in $high_trust_sender_root_domains
50      and not headers.auth_summary.dmarc.pass
51    )
52    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
53  )  
54
55attack_types:
56  - "Credential Phishing"
57tactics_and_techniques:
58  - "Impersonation: Brand"
59  - "Social engineering"
60detection_methods:
61  - "Content analysis"
62  - "File analysis"
63  - "Header analysis"
64  - "Sender analysis"
65id: "61f11d12-7033-53c9-a95a-df982ff31c4b"
to-top