Detects inbound messages that instruct users to copy-paste steps and include links to Dropbox Paper documents. The rule triggers when the incoming thread text contains the words 'copy' and 'paste' and at least one embedded link whose display URL starts with https://www.dropbox.com/scl/fi/ and includes a .paper document. This pattern is used to sidestep security controls by guiding users to a hosted Dropbox Paper document containing malicious or credential-collection content. The rule is labeled medium severity and maps to Credential Phishing, with tactics centered on social engineering, use of a free file host, and evasion. Detection relies on content analysis of the message body and URL analysis of embedded links to identify such abuse patterns.