Service abuse: Dropbox share with suspicious sender or document name

Severity: medium
Type: rule
Source: github.com/sublime-security/sublime-rules

The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Callback Phishing, BEC/Fraud
Tactics and techniques	Evasion, Social engineering

Event coverage

Message attribute
headers (collection)
headers.auth_summary
headers.reply_to (collection)
sender.email
subject
type

Rule body MQL

type.inbound

// Legitimate Dropbox sending infratructure
and sender.email.email == "no-reply@dropbox.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
and strings.ends_with(headers.auth_summary.spf.details.designator,
                      '.dropbox.com'
)
and strings.icontains(subject.subject, 'shared')
and strings.icontains(subject.subject, 'with you')
and (
  // contains the word dropbox
  // everything not "shared" and "with you" is actor controlled
  strings.icontains(subject.subject, 'dropbox')
  or strings.icontains(subject.subject, 'sharefile')

  // sender names part of the subject
  or (
    // Billing Accounting
    regex.icontains(subject.subject,
                    'Accounts? (?:Payable|Receivable).*shared',
                    'Billing Support.*shared'
    )

    // HR/Payroll/Legal/etc
    or regex.icontains(subject.subject, 'Compliance HR.*shared')
    or regex.icontains(subject.subject,
                       '(?:Compliance|Executive|Finance|\bHR\b|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*shared'
    )
    or regex.icontains(subject.subject, '(?:Department|Team).*shared')
    or regex.icontains(subject.subject, 'Corporate Communications.*shared')
    or regex.icontains(subject.subject, 'Employee Relations.*shared')
    or regex.icontains(subject.subject, 'Office Manager.*shared')
    or regex.icontains(subject.subject, 'Risk Management.*shared')
    or regex.icontains(subject.subject, 'Payroll Admin(?:istrator).*shared')
    or regex.icontains(subject.subject, 'Human Resources.*shared')
    or regex.icontains(subject.subject, 'HR.*shared')

    // IT related
    or regex.icontains(subject.subject,
                       'IT Support.*shared',
                       'Information Technology.*shared',
                       '(?:Network|System)? Admin(?:istrator).*shared',
                       'Help Desk.*shared',
                       'Tech(?:nical) Support.*shared'
    )

    // an email address in the subject is also interesting
    or regex.icontains(subject.subject, '\w+@\w+\.\w+.*shared')
  )
  // filename analysis
  // the filename is also contianed in the subject line
  or (
    // untitled.paper
    regex.icontains(subject.subject, 'shared.*\"Untitled.paper')
    // scanner themed
    or regex.icontains(subject.subject, 'shared.*\".*scanne[rd]')
    // image theme
    or regex.icontains(subject.subject, 'shared.*\".*_IMG_')
    or regex.icontains(subject.subject, 'shared.*\".*IMG[_-](?:\d|\W)+\"')
    // ondrive theme
    or regex.icontains(subject.subject, 'shared.*\".*one_docx')
    or regex.icontains(subject.subject, 'shared.*\".*One.?Drive')
    or regex.icontains(subject.subject, 'shared.*\".*click here')
    or regex.icontains(subject.subject, 'shared.*\".*Download PDF')
    or regex.icontains(subject.subject, 'shared.*\".*Validate')

    // Invoice Themes
    or regex.icontains(subject.subject, 'shared.*\".*Invoice')
    or regex.icontains(subject.subject, 'shared.*\".*INV\b')
    or regex.icontains(subject.subject, 'shared.*\".*Payment')
    or regex.icontains(subject.subject, 'shared.*\".*ACH')
    or regex.icontains(subject.subject, 'shared.*\".*Wire Confirmation')
    or regex.icontains(subject.subject, 'shared.*\".*P[O0]\W+?\d+\"')
    or regex.icontains(subject.subject, 'shared.*\"P[O0](?:\W+?|\d+)')
    or regex.icontains(subject.subject, 'shared.*\".*receipt')
    or regex.icontains(subject.subject, 'shared.*\".*Billing')
    or regex.icontains(subject.subject, 'shared.*\".*statement')
    or regex.icontains(subject.subject, 'shared.*\".*Past Due')
    or regex.icontains(subject.subject, 'shared.*\".*Remit(?:tance)?')
    or regex.icontains(subject.subject, 'shared.*\".*Purchase Order')
    or regex.icontains(subject.subject, 'shared.*\".*Settlement')

    // contract language
    or regex.icontains(subject.subject, 'shared.*\".*Contract Agreement')
    or regex.icontains(subject.subject, 'shared.*\".*Pr[0o]p[0o]sal')
    or regex.icontains(subject.subject, 'shared.*\".*Contract Doc')
    or regex.icontains(subject.subject, 'shared.*\".*Claim Doc')

    // Payroll/HR
    // section also used in link_sharepoint_sus_name.yml with modified input
    or regex.icontains(subject.subject, 'shared.*\".*Payroll')
    or regex.icontains(subject.subject, 'shared.*\".*Employee Pay\b')
    or regex.icontains(subject.subject, 'shared.*\".*Salary')
    or regex.icontains(subject.subject, 'shared.*\".*Benefit Enrollment')
    or regex.icontains(subject.subject, 'shared.*\".*Employee Handbook')
    or regex.icontains(subject.subject, 'shared.*\".*Reimbursement Approved')
    or regex.icontains(subject.subject,
                       'shared.*\".*(?:Faculty|Staff)\s*(?:\w+\s+){0,3}\s*Eval(?:uation)?'
    )

    // shared files/extenstion
    or regex.icontains(subject.subject, 'shared.*\".*Shared.?File')
    or regex.icontains(subject.subject, 'shared.*\".*Urgent')
    or regex.icontains(subject.subject, 'shared.*\".*Important')
    or regex.icontains(subject.subject, 'shared.*\".*Secure')
    or regex.icontains(subject.subject, 'shared.*\".*Encrypt')
    or regex.icontains(subject.subject, 'shared.*\".*shared')
    or regex.icontains(subject.subject, 'shared.*\".*protected')
    or regex.icontains(subject.subject, 'shared.*\".*\.docx?\.pdf')
    or regex.icontains(subject.subject, 'shared.*\".*\.docx?\.paper')
    // all caps filename allowing for numbers, punct and spaces, and an optional file extenstion
    or regex.contains(subject.subject,
                      'shared \"[A-Z0-9[:punct:]\s]+(?:\.[a-zA-Z]{3,5})\"'
    )
    or regex.icontains(subject.subject,
                       'shared \".*(?:shared|sent).*\" with you'
    )

    // MFA theme
    or regex.icontains(subject.subject, 'shared.*\".*Verification Code')
    or regex.icontains(subject.subject, 'shared.*\".*\bMFA\b')

    // the reply-to address is within the subject
    or any(headers.reply_to,
           strings.icontains(subject.subject, .email.domain.domain)
    )
  )
)

Detection logic

Scope: inbound message.

The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name.

inbound message
sender.email.email is 'no-reply@dropbox.com'
headers.auth_summary.spf.pass
headers.auth_summary.dmarc.pass
headers.auth_summary.spf.details.designator ends with '.dropbox.com'
subject.subject contains 'shared'
subject.subject contains 'with you'
any of:
- subject.subject contains 'dropbox'
- subject.subject contains 'sharefile'
- subject.subject matches any of 18 patterns
  - Accounts? (?:Payable|Receivable).*shared
  - Billing Support.*shared
  - Compliance HR.*shared
  - (?:Compliance|Executive|Finance|\bHR\b|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*shared
  - (?:Department|Team).*shared
  - Corporate Communications.*shared
  - Employee Relations.*shared
  - Office Manager.*shared
  - Risk Management.*shared
  - Payroll Admin(?:istrator).*shared
  - Human Resources.*shared
  - HR.*shared
  - IT Support.*shared
  - Information Technology.*shared
  - (?:Network|System)? Admin(?:istrator).*shared
  - Help Desk.*shared
  - Tech(?:nical) Support.*shared
  - \w+@\w+\.\w+.*shared
- any of:
  - subject.subject matches 'shared.*\\"Untitled.paper'
  - subject.subject matches 'shared.*\\".*scanne[rd]'
  - subject.subject matches 'shared.*\\".*_IMG_'
  - subject.subject matches 'shared.*\\".*IMG[_-](?:\\d|\\W)+\\"'
  - subject.subject matches 'shared.*\\".*one_docx'
  - subject.subject matches 'shared.*\\".*One.?Drive'
  - subject.subject matches 'shared.*\\".*click here'
  - subject.subject matches 'shared.*\\".*Download PDF'
  - subject.subject matches 'shared.*\\".*Validate'
  - subject.subject matches 'shared.*\\".*Invoice'
  - subject.subject matches 'shared.*\\".*INV\\b'
  - subject.subject matches 'shared.*\\".*Payment'
  - subject.subject matches 'shared.*\\".*ACH'
  - subject.subject matches 'shared.*\\".*Wire Confirmation'
  - subject.subject matches 'shared.*\\".*P[O0]\\W+?\\d+\\"'
  - subject.subject matches 'shared.*\\"P[O0](?:\\W+?|\\d+)'
  - subject.subject matches 'shared.*\\".*receipt'
  - subject.subject matches 'shared.*\\".*Billing'
  - subject.subject matches 'shared.*\\".*statement'
  - subject.subject matches 'shared.*\\".*Past Due'
  - subject.subject matches 'shared.*\\".*Remit(?:tance)?'
  - subject.subject matches 'shared.*\\".*Purchase Order'
  - subject.subject matches 'shared.*\\".*Settlement'
  - subject.subject matches 'shared.*\\".*Contract Agreement'
  - subject.subject matches 'shared.*\\".*Pr[0o]p[0o]sal'
  - subject.subject matches 'shared.*\\".*Contract Doc'
  - subject.subject matches 'shared.*\\".*Claim Doc'
  - subject.subject matches 'shared.*\\".*Payroll'
  - subject.subject matches 'shared.*\\".*Employee Pay\\b'
  - subject.subject matches 'shared.*\\".*Salary'
  - subject.subject matches 'shared.*\\".*Benefit Enrollment'
  - subject.subject matches 'shared.*\\".*Employee Handbook'
  - subject.subject matches 'shared.*\\".*Reimbursement Approved'
  - subject.subject matches 'shared.*\\".*(?:Faculty|Staff)\\s*(?:\\w+\\s+){0,3}\\s*Eval(?:uation)?'
  - subject.subject matches 'shared.*\\".*Shared.?File'
  - subject.subject matches 'shared.*\\".*Urgent'
  - subject.subject matches 'shared.*\\".*Important'
  - subject.subject matches 'shared.*\\".*Secure'
  - subject.subject matches 'shared.*\\".*Encrypt'
  - subject.subject matches 'shared.*\\".*shared'
  - subject.subject matches 'shared.*\\".*protected'
  - subject.subject matches 'shared.*\\".*\\.docx?\\.pdf'
  - subject.subject matches 'shared.*\\".*\\.docx?\\.paper'
  - subject.subject matches 'shared \\"[A-Z0-9[:punct:]\\s]+(?:\\.[a-zA-Z]{3,5})\\"'
  - subject.subject matches 'shared \\".*(?:shared|sent).*\\" with you'
  - subject.subject matches 'shared.*\\".*Verification Code'
  - subject.subject matches 'shared.*\\".*\\bMFA\\b'
  - any of headers.reply_to where:
    
    strings.icontains(subject.subject)

Inspects: headers.auth_summary.dmarc.pass, headers.auth_summary.spf.details.designator, headers.auth_summary.spf.pass, headers.reply_to, headers.reply_to[].email.domain.domain, sender.email.email, subject.subject, type.inbound. Sensors: regex.contains, regex.icontains, strings.ends_with, strings.icontains.

Indicators matched (71)

Field	Match	Value
`sender.email.email`	equals	`no-reply@dropbox.com`
`strings.ends_with`	suffix	`.dropbox.com`
`strings.icontains`	substring	`shared`
`strings.icontains`	substring	`with you`
`strings.icontains`	substring	`dropbox`
`strings.icontains`	substring	`sharefile`
`regex.icontains`	regex	`Accounts? (?:Payable\|Receivable).*shared`
`regex.icontains`	regex	`Billing Support.*shared`
`regex.icontains`	regex	`Compliance HR.*shared`
`regex.icontains`	regex	`(?:Compliance\|Executive\|Finance\|\bHR\b\|\bIT\b\|Legal\|Payroll\|Purchasing\|Operations\|Security\|Training\|Support).*shared`
`regex.icontains`	regex	`(?:Department\|Team).*shared`
`regex.icontains`	regex	`Corporate Communications.*shared`

59 more

`regex.icontains`	regex	`Employee Relations.*shared`
`regex.icontains`	regex	`Office Manager.*shared`
`regex.icontains`	regex	`Risk Management.*shared`
`regex.icontains`	regex	`Payroll Admin(?:istrator).*shared`
`regex.icontains`	regex	`Human Resources.*shared`
`regex.icontains`	regex	`HR.*shared`
`regex.icontains`	regex	`IT Support.*shared`
`regex.icontains`	regex	`Information Technology.*shared`
`regex.icontains`	regex	`(?:Network\|System)? Admin(?:istrator).*shared`
`regex.icontains`	regex	`Help Desk.*shared`
`regex.icontains`	regex	`Tech(?:nical) Support.*shared`
`regex.icontains`	regex	`\w+@\w+\.\w+.*shared`
`regex.icontains`	regex	`shared.*\"Untitled.paper`
`regex.icontains`	regex	`shared.\".scanne[rd]`
`regex.icontains`	regex	`shared.\"._IMG_`
`regex.icontains`	regex	`shared.\".IMG[_-](?:\d\|\W)+\"`
`regex.icontains`	regex	`shared.\".one_docx`
`regex.icontains`	regex	`shared.\".One.?Drive`
`regex.icontains`	regex	`shared.\".click here`
`regex.icontains`	regex	`shared.\".Download PDF`
`regex.icontains`	regex	`shared.\".Validate`
`regex.icontains`	regex	`shared.\".Invoice`
`regex.icontains`	regex	`shared.\".INV\b`
`regex.icontains`	regex	`shared.\".Payment`
`regex.icontains`	regex	`shared.\".ACH`
`regex.icontains`	regex	`shared.\".Wire Confirmation`
`regex.icontains`	regex	`shared.\".P[O0]\W+?\d+\"`
`regex.icontains`	regex	`shared.*\"P[O0](?:\W+?\|\d+)`
`regex.icontains`	regex	`shared.\".receipt`
`regex.icontains`	regex	`shared.\".Billing`
`regex.icontains`	regex	`shared.\".statement`
`regex.icontains`	regex	`shared.\".Past Due`
`regex.icontains`	regex	`shared.\".Remit(?:tance)?`
`regex.icontains`	regex	`shared.\".Purchase Order`
`regex.icontains`	regex	`shared.\".Settlement`
`regex.icontains`	regex	`shared.\".Contract Agreement`
`regex.icontains`	regex	`shared.\".Pr[0o]p[0o]sal`
`regex.icontains`	regex	`shared.\".Contract Doc`
`regex.icontains`	regex	`shared.\".Claim Doc`
`regex.icontains`	regex	`shared.\".Payroll`
`regex.icontains`	regex	`shared.\".Employee Pay\b`
`regex.icontains`	regex	`shared.\".Salary`
`regex.icontains`	regex	`shared.\".Benefit Enrollment`
`regex.icontains`	regex	`shared.\".Employee Handbook`
`regex.icontains`	regex	`shared.\".Reimbursement Approved`
`regex.icontains`	regex	`shared.\".(?:Faculty\|Staff)\s(?:\w+\s+){0,3}\sEval(?:uation)?`
`regex.icontains`	regex	`shared.\".Shared.?File`
`regex.icontains`	regex	`shared.\".Urgent`
`regex.icontains`	regex	`shared.\".Important`
`regex.icontains`	regex	`shared.\".Secure`
`regex.icontains`	regex	`shared.\".Encrypt`
`regex.icontains`	regex	`shared.\".shared`
`regex.icontains`	regex	`shared.\".protected`
`regex.icontains`	regex	`shared.\".\.docx?\.pdf`
`regex.icontains`	regex	`shared.\".\.docx?\.paper`
`regex.contains`	regex	`shared \"[A-Z0-9[:punct:]\s]+(?:\.[a-zA-Z]{3,5})\"`
`regex.icontains`	regex	`shared \".(?:shared\|sent).\" with you`
`regex.icontains`	regex	`shared.\".Verification Code`
`regex.icontains`	regex	`shared.\".\bMFA\b`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)