Service abuse: Dropbox Paper with copy-paste instructions

calendar May 7, 2026  ·
Share on: linkedin copy

Detects messages containing copy-paste instructions with links to Dropbox Paper documents, commonly used to bypass security controls by instructing users to manually navigate to malicious content.

Sublime rule (View on GitHub)

 1name: "Service abuse: Dropbox Paper with copy-paste instructions"
 2description: "Detects messages containing copy-paste instructions with links to Dropbox Paper documents, commonly used to bypass security controls by instructing users to manually navigate to malicious content."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.icontains(body.current_thread.text, 'copy')
 8  and strings.icontains(body.current_thread.text, 'paste')
 9  and any(body.current_thread.links,
10          strings.icontains(.display_url.url, 'https://www.dropbox.com/scl/fi/')
11          and strings.icontains(.display_url.url, '.paper')
12  )  
13
14attack_types:
15  - "Credential Phishing"
16tactics_and_techniques:
17  - "Social engineering"
18  - "Free file host"
19  - "Evasion"
20detection_methods:
21  - "Content analysis"
22  - "URL analysis"
23id: "5b03f8e6-222f-5112-b111-faff54305b0b"
to-top