Brand spoof: Dropbox
Impersonation of Dropbox, a file sharing service; specifically spoofs the Dropbox sender domain.
Sublime rule (View on GitHub)
1name: "Brand spoof: Dropbox"
2description: |
3 Impersonation of Dropbox, a file sharing service; specifically spoofs the Dropbox sender domain.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and sender.email.domain.root_domain == 'dropbox.com'
9 and any(distinct(headers.hops, .authentication_results.dmarc is not null),
10 strings.ilike(.authentication_results.dmarc, "*fail")
11 )
12 // mitigates situations where an ESG misconfiguration could cause auth failures
13 and not strings.ends_with(headers.message_id, ".dropbox.com>")
14attack_types:
15 - "Credential Phishing"
16 - "Malware/Ransomware"
17tactics_and_techniques:
18 - "Impersonation: Brand"
19 - "Spoofing"
20detection_methods:
21 - "Header analysis"
22 - "Sender analysis"
23id: "bd99740a-07e1-5c6f-92f6-b223478effa8"