heroui logo

Attachment: Dropbox image lure with no Dropbox domains in links

Sublime Rules

View Source
Summary
This detection rule is designed to identify phishing emails that attempt to lure users into providing credentials through the use of Dropbox-themed image attachments. It focuses on emails that have attachments which are of image types but lack any legitimate Dropbox links in their URLs. Key checks include filtering attachments to ensure only images are present and analyzing the body of the email for links that do not originate from recognized Dropbox domains. Additionally, the rule examines the sender's profile to identify any malicious or spammy behavior, taking a cautious approach by ruling out any known false positives. The detection employs various methods, including content, file, header, optical character recognition (OCR), and sender analysis to mitigate the risk of credential phishing through social engineering tactics.
Categories
  • Endpoint
  • Web
  • Identity Management
Data Sources
  • User Account
  • Application Log
  • File
  • Network Traffic
Created: 2023-05-22