Brand spoof: Dropbox

Impersonation of Dropbox, a file sharing service; specifically spoofs the Dropbox sender domain.

Sublime rule (View on GitHub)

 1name: "Brand spoof: Dropbox"
 2description: |
 3    Impersonation of Dropbox, a file sharing service; specifically spoofs the Dropbox sender domain.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and sender.email.domain.root_domain == 'dropbox.com'
 9  and any(distinct(headers.hops, .authentication_results.dmarc is not null),
10          strings.ilike(.authentication_results.dmarc, "*fail")
11  )
12  // mitigates situations where an ESG misconfiguration could cause auth failures
13  and not strings.ends_with(headers.message_id, ".dropbox.com>")  
14attack_types:
15  - "Credential Phishing"
16  - "Malware/Ransomware"
17tactics_and_techniques:
18  - "Impersonation: Brand"
19  - "Spoofing"
20detection_methods:
21  - "Header analysis"
22  - "Sender analysis"
23id: "bd99740a-07e1-5c6f-92f6-b223478effa8"
to-top