chat
expand_more

Legitimate Dropbox Transfer Used to Phish Microsoft Credentials

As the COVID-19 pandemic continues, governments worldwide are providing relief funds for small business owners impacted by lockdowns and closures. This allows attackers to exploit current efforts by the government, particularly since applicants to these funds...
June 10, 2020

As the COVID-19 pandemic continues, governments worldwide are providing relief funds for small business owners impacted by lockdowns and closures. This allows attackers to exploit current efforts by the government, particularly since applicants to these funds typically have to provide documents to prove their eligibility.

Since applicants are expecting email correspondence, this provides attackers with a unique opportunity to impersonate legitimate authorities and extract sensitive information from customers. In this attack, threat actors use a Dropbox link and landing page to do so.

Summary of Attack Target

  • Platform: Office 365
  • Victims: Small Business Owners
  • Payload: Phishing
  • Technique: Impersonation

Overview of the Dropbox Transfer Attack

The email itself is an automated message from the sender “no-reply@dropbox.com” which is an official Dropbox domain. The body contains a link to the file “COVID-19-Relief-Payment.PDF” with information about the size of the file, a brief description of the file, and the expiration date.

The attack itself is a two-step process. First, the recipient must click the link provided in the email, which leads to a standard Dropbox transfer landing page with the enablement to download the file.


After clicking on the download button, the page is redirected to a phishing landing page. In the second step, the landing page contains an O365 image with a button to “Access Document”. This is where the intent is revealed, which is to gain access to the user's Microsoft credentials.

In order to access the fake document, the user must input their Office 365 credentials. The moment they do so, their Microsoft credentials on all accounts are compromised, providing access to Outlook, SharePoint, OneDrive, Teams, and other Microsoft applications. From there, this account takeover can lead to data or financial loss for the organization, and the account itself can be used to send additional attacks on employees, customers, or partners.

Why the Dropbox Transfer Attack is Effective

There is a sense of urgency in the message, which states, "Heads up, this transfer expires in 4 days on June 10, 2020.” It appears that if the recipient doesn't download the file within the given timeframe, the file will expire and they might assume that the opportunity to receive relief funding will be missed or delayed. And even for vigilant email recipients who check the sender address, an automated message from the dropbox.com domain does look innocuous enough to at least click on the links provided.

This is a sophisticated attack because, by using Dropbox Transfer to send files, it is not necessary to spoof headers, as the sender name will come from the legitimate Dropbox domain. Not only does this bypass traditional mail filters, but it also goes undetected by any existing web proxy and firewall controls. This is also extremely convenient for attackers because they can send the payload without ever having to verify if the targeted network is allowing an inbound SMTP or testing firewalls/proxies.

Abnormal can stop this attack due to the unusual sender domain where it does not match any domains found in body links. In addition, the content of the email is related to COVID-19, a common theme right now for cyber attackers who are looking to take advantage of the pandemic.

To learn how Abnormal can protect your employees from Dropbox transfers and other malicious emails, request a demo today.

Legitimate Dropbox Transfer Used to Phish Microsoft Credentials

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Discover How It All Works

See How Abnormal AI Protects Humans

Related Posts

B Retail Industry Attack Trends Blog
New research reveals predictable seasonal cybersecurity patterns in retail. Discover when attacks are most prevalent and how to synchronize defenses with threat cycles.
Read More
Engineering Hyper Personalized Security Training pptx 1
Explore how Abnormal AI rapidly engineered AI Phishing Coach, a hyper-personalized training platform, by leveraging GenAI, internal developer tools, and an AI-first build process designed for speed and scale.
Read More
Innovate Summer Update Announcement Blog Cover
Join Abnormal Innovate: Summer Update on July 17 to explore the future of AI-powered email security with bite-sized sessions, expert insights, and exclusive product reveals.
Read More
High Scale Aggregation Cover
At Abnormal AI, detecting malicious behavior at scale means aggregating vast volumes of signals in realtime and batch. This post breaks down how we implemented the Signals DAG across both systems to achieve consistency, speed, and detection accuracy at scale.
Read More
B CISO SAT
Discover how modern CISOs are evolving security awareness training from a compliance checkbox into a strategic, AI-powered program that drives behavior change and builds a security-first culture.
Read More
B Regional VEC BEC Trends Blog
Regional analysis of 1,400+ organizations reveals how geography shapes email security risks. See which regions are most vulnerable to VEC vs BEC.
Read More