This detection rule identifies potential cases of service abuse related to Dropbox by monitoring share notifications that originate from unsolicited reply-to addresses. It specifically examines messages sent from Dropbox with the legitimate sending email address of 'no-reply@dropbox.com', ensuring that the emails have passed SPF and DMARC authentication checks aimed at confirming the authenticity of the sender. The rule triggers an alert when the subject of the email includes keywords such as 'shared' and 'with you', reflecting normal Dropbox sharing practices. Furthermore, the rule employs a beta feature to assess the status of the reply-to address, confirming that it has never engaged in email communication with the organization either as a sender or a recipient. This approach aims to identify potential callback phishing attempts and business email compromise (BEC) fraud by flagging instances where Dropbox share notifications include unfamiliar reply-to addresses, thereby increasing the organization's attack surface vulnerability. The rule is targeted at environments utilizing Dropbox for file sharing and emphasizes the importance of scrutinizing addresses that do not have a prior engagement history with the organization.