detection.wiki

Detection rules › Sublime MQL

Credential Phishing via Dropbox comment abuse

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

This rule detects Credential Phishing attacks exploiting familiar brands via Dropbox comments. These attacks originate from legitimate Dropbox infrastructure and attempt to pivot to external freemail addresses.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesEvasion, Out of band pivot, Social engineering

Event coverage

Message attribute
body.current_thread
headers.auth_summary
sender.email
type

Rule body MQL

type.inbound
and length(attachments) == 0

// Legitimate Dropbox sending infratructure
and (
  sender.email.domain.root_domain in ('dropbox.net', 'dropbox.com')
  // check for DMARC fail for spoofs
  and headers.auth_summary.dmarc.pass
)

// Dropbox Logo or text
and (
  any(ml.logo_detect(file.message_screenshot()).brands, .name == "Dropbox")
  or strings.contains(body.current_thread.text, "Dropbox")
)

// Require common brand impersonation
and strings.ilike(body.current_thread.text,
                  "*mcafee*",
                  "*norton*",
                  "*geek*squad*",
                  "*paypal*",
                  "*ebay*",
                  "*symantec*",
                  "*best buy*",
                  "*lifelock*",
                  "*geek*support*"
)
and 3 of (
  strings.ilike(body.current_thread.text, '*purchase*'),
  strings.ilike(body.current_thread.text, '*payment*'),
  strings.ilike(body.current_thread.text, '*transaction*'),
  strings.ilike(body.current_thread.text, '*subscription*'),
  strings.ilike(body.current_thread.text, '*antivirus*'),
  strings.ilike(body.current_thread.text, '*order*'),
  strings.ilike(body.current_thread.text, '*support*'),
  strings.ilike(body.current_thread.text, '*help line*'),
  strings.ilike(body.current_thread.text, '*receipt*'),
  strings.ilike(body.current_thread.text, '*invoice*'),
  strings.ilike(body.current_thread.text, '*call*'),
  strings.ilike(body.current_thread.text, '*cancel*'),
  strings.ilike(body.current_thread.text, '*renew*'),
  strings.ilike(body.current_thread.text, '*refund*'),
  strings.ilike(body.current_thread.text, '*transfer*'),
  strings.ilike(body.current_thread.text, '*message*')
)

// there's an email in the body
and regex.contains(body.current_thread.text,
                   "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
)

// and it's likely a freemail
and any($free_email_providers, strings.icontains(body.current_thread.text, .))

Detection logic

Scope: inbound message.

This rule detects Credential Phishing attacks exploiting familiar brands via Dropbox comments. These attacks originate from legitimate Dropbox infrastructure and attempt to pivot to external freemail addresses.

  1. inbound message
  2. length(attachments) is 0
  3. all of:
    • sender.email.domain.root_domain in ('dropbox.net', 'dropbox.com')
    • headers.auth_summary.dmarc.pass
  4. any of:
    • any of ml.logo_detect(file.message_screenshot()).brands where:
      • .name is 'Dropbox'
    • body.current_thread.text contains 'Dropbox'
  5. body.current_thread.text matches any of 9 patterns
    • *mcafee*
    • *norton*
    • *geek*squad*
    • *paypal*
    • *ebay*
    • *symantec*
    • *best buy*
    • *lifelock*
    • *geek*support*
  6. at least 3 of 16: body.current_thread.text matches any of 16 patterns
    • *purchase*
    • *payment*
    • *transaction*
    • *subscription*
    • *antivirus*
    • *order*
    • *support*
    • *help line*
    • *receipt*
    • *invoice*
    • *call*
    • *cancel*
    • *renew*
    • *refund*
    • *transfer*
    • *message*
  7. body.current_thread.text matches '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\\\.[A-Za-z]{2,}'
  8. any of $free_email_providers where:
    • strings.icontains(body.current_thread.text)

Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: file.message_screenshot, ml.logo_detect, regex.contains, strings.contains, strings.icontains, strings.ilike. Reference lists: $free_email_providers.

Indicators matched (30)

FieldMatchValue
sender.email.domain.root_domainmemberdropbox.net
sender.email.domain.root_domainmemberdropbox.com
ml.logo_detect(file.message_screenshot()).brands[].nameequalsDropbox
strings.containssubstringDropbox
strings.ilikesubstring*mcafee*
strings.ilikesubstring*norton*
strings.ilikesubstring*geek*squad*
strings.ilikesubstring*paypal*
strings.ilikesubstring*ebay*
strings.ilikesubstring*symantec*
strings.ilikesubstring*best buy*
strings.ilikesubstring*lifelock*
18 more
strings.ilikesubstring*geek*support*
strings.ilikesubstring*purchase*
strings.ilikesubstring*payment*
strings.ilikesubstring*transaction*
strings.ilikesubstring*subscription*
strings.ilikesubstring*antivirus*
strings.ilikesubstring*order*
strings.ilikesubstring*support*
strings.ilikesubstring*help line*
strings.ilikesubstring*receipt*
strings.ilikesubstring*invoice*
strings.ilikesubstring*call*
strings.ilikesubstring*cancel*
strings.ilikesubstring*renew*
strings.ilikesubstring*refund*
strings.ilikesubstring*transfer*
strings.ilikesubstring*message*
regex.containsregex[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}