In this attack, the attacker impersonated Dropbox, a popular file-sharing service, in an attempt to lure the recipient into clicking on a malicious link. The email claimed that a document titled "{LAW FIRM NAME REDACTED}. New Contract.pdf" was being shared through Dropbox and included a "View on Dropbox" button to directly access the file. The message was also designed to appear as if it was the second attempt by the sender to deliver the file.

Status Bar Dots
UA Law Firm Dropbox Transfer Email Edited

If the recipient had clicked on the "View on Dropbox" button, they would be redirected to the following site:

Status Bar Dots
UA Law Firm Dropbox Transfer Site Edited

What makes this attack interesting is that the lawyer named in the email is an actual attorney at the law firm referenced in the file name, and the email address included in the body of the message is the address listed for that lawyer on the firm's website. Additionally, the sender email is no-reply@dropbox[.]com, which is the real address associated with file transfers sent directly from the Dropbox portal.

How Does This Attack Bypass Email Defenses?

Because the attack is text-based without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The email appears to be sent from the official Dropbox email address, passing all authentication checks for SPF, DKIM, and DMARC. Traditional email defenses may not catch this attack due to its seemingly legitimate-looking appearance.

How Can This Attack Be Detected?

Machine learning algorithms and URL analysis could be used to detect suspicious links in emails that don't match the expected domain, even when the email appears to be from a legitimate source. Cloud email security solutions can also analyze the content of the message to look for certain patterns or combinations typically associated with phishing attacks, such as the impersonation of a file-sharing service.

What are the Risks of This Attack?

If a recipient clicks on the "View on Dropbox" button, they may be directed to a malicious web page designed to steal their Dropbox login credentials or download malware onto their device. This can lead to unauthorized access to the user's files and sensitive information, with potential consequences such as data breaches, identity theft, and financial loss. In a business setting, this type of attack can impact not only the individual targeted but also the entire organization, as it could compromise internal systems and data.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Legitimate Hosting Infrastructure

Theme

Legal Matter
Fake Document

Impersonated Brands

Dropbox

See How Abnormal Stops Emerging Attacks

See a Demo