• Sublime Core Feed
Medium Severity

Credential Phishing via Dropbox comment abuse

Labels

Credential Phishing
Evasion
Out of band pivot
Social engineering
Content analysis
Computer Vision
Sender analysis

Description

This rule detects Credential Phishing attacks exploiting familiar brands via Dropbox comments. These attacks originate from legitimate Dropbox infrastructure and attempt to pivot to external freemail addresses.

References

No references.

Sublime Security
Created Jan 16th, 2024 • Last updated Apr 23rd, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(attachments) == 0

// Legitimate Dropbox sending infratructure
and (
  sender.email.domain.root_domain in ('dropbox.net', 'dropbox.com')
  // check for DMARC fail for spoofs
  and headers.auth_summary.dmarc.pass
)

// Dropbox Logo or text
and (
  any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Dropbox")
  or strings.contains(body.current_thread.text, "Dropbox")
)

// Require common brand impersonation
and strings.ilike(body.current_thread.text,
                  "*mcafee*",
                  "*norton*",
                  "*geek*squad*",
                  "*paypal*",
                  "*ebay*",
                  "*symantec*",
                  "*best buy*",
                  "*lifelock*",
                  "*geek*support*"
)
and 3 of (
  strings.ilike(body.current_thread.text, '*purchase*'),
  strings.ilike(body.current_thread.text, '*payment*'),
  strings.ilike(body.current_thread.text, '*transaction*'),
  strings.ilike(body.current_thread.text, '*subscription*'),
  strings.ilike(body.current_thread.text, '*antivirus*'),
  strings.ilike(body.current_thread.text, '*order*'),
  strings.ilike(body.current_thread.text, '*support*'),
  strings.ilike(body.current_thread.text, '*help line*'),
  strings.ilike(body.current_thread.text, '*receipt*'),
  strings.ilike(body.current_thread.text, '*invoice*'),
  strings.ilike(body.current_thread.text, '*call*'),
  strings.ilike(body.current_thread.text, '*cancel*'),
  strings.ilike(body.current_thread.text, '*renew*'),
  strings.ilike(body.current_thread.text, '*refund*'),
  strings.ilike(body.current_thread.text, '*transfer*'),
  strings.ilike(body.current_thread.text, '*message*')
)

// there's an email in the body
and regex.contains(body.current_thread.text,
                   "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
)

// and it's likely a freemail
and any($free_email_providers, strings.icontains(body.current_thread.text, .))
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started