Detection rules › Sublime MQL
Service abuse: Dropbox Paper with copy-paste instructions
Detects messages containing copy-paste instructions with links to Dropbox Paper documents, commonly used to bypass security controls by instructing users to manually navigate to malicious content.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Social engineering, Free file host, Evasion |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| type |
Rule body MQL
type.inbound
and strings.icontains(body.current_thread.text, 'copy')
and strings.icontains(body.current_thread.text, 'paste')
and any(body.current_thread.links,
strings.icontains(.display_url.url, 'https://www.dropbox.com/scl/fi/')
and strings.icontains(.display_url.url, '.paper')
)
Detection logic
Scope: inbound message.
Detects messages containing copy-paste instructions with links to Dropbox Paper documents, commonly used to bypass security controls by instructing users to manually navigate to malicious content.
- inbound message
- body.current_thread.text contains 'copy'
- body.current_thread.text contains 'paste'
any of
body.current_thread.linkswhere all hold:- .display_url.url contains 'https://www.dropbox.com/scl/fi/'
- .display_url.url contains '.paper'
Inspects: body.current_thread.links, body.current_thread.links[].display_url.url, body.current_thread.text, type.inbound. Sensors: strings.icontains.
Indicators matched (4)
| Field | Match | Value |
|---|---|---|
strings.icontains | substring | copy |
strings.icontains | substring | paste |
strings.icontains | substring | https://www.dropbox.com/scl/fi/ |
strings.icontains | substring | .paper |