Brand spoof: Dropbox

calendar Apr 23, 2024  ยท
Share on: linkedin copy

Impersonation of Dropbox, a file sharing service; specifically spoofs the Dropbox sender domain.

Sublime rule (View on GitHub)

 1name: "Brand spoof: Dropbox"
 2description: |
 3    Impersonation of Dropbox, a file sharing service; specifically spoofs the Dropbox sender domain.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and sender.email.domain.root_domain == 'dropbox.com'
 9  and not headers.auth_summary.dmarc.pass
10  // mitigates situations where an ESG misconfiguration could cause auth failures
11  and not strings.ends_with(headers.message_id, ".dropbox.com>")  
12attack_types:
13  - "Credential Phishing"
14  - "Malware/Ransomware"
15tactics_and_techniques:
16  - "Impersonation: Brand"
17  - "Spoofing"
18detection_methods:
19  - "Header analysis"
20  - "Sender analysis"
21id: "bd99740a-07e1-5c6f-92f6-b223478effa8"
to-top