Blog
/
Email
/
March 8, 2024

Malicious Use of Dropbox in Phishing Attacks

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
08
Mar 2024
Understand the tactics of phishing attacks that exploit Dropbox and learn how to recognize and mitigate these emerging cybersecurity threats.

Evolving Phishing Attacks

While email has long been the vector of choice for carrying out phishing attacks, threat actors, and their tactics, techniques, and procedures (TTPs), are continually adapting and evolving to keep pace with the emergence of new technologies that represent new avenues to exploit. As previously discussed by the Darktrace analyst team, several novel threats relating to the abuse of commonly used services and platforms were observed throughout 2023, including the rise of QR Code Phishing and the use of Microsoft SharePoint and Teams in phishing campaigns.

Dropbox Phishing Attacks

It should, therefore, come as no surprise that the malicious use of other popular services has gained traction in recent years, including the cloud storage platform Dropbox.

With over 700 million registered users [1], Dropbox has established itself as a leading cloud storage service celebrated for its simplicity in file storage and sharing, but in doing so it has also inadvertently opened a new avenue for threat actors to exploit. By leveraging the legitimate infrastructure of Dropbox, threat actors are able to carry out a range of malicious activities, from convincing their targets to unknowingly download malware to revealing sensitive information like login credentials.

Darktrace Detection of Dropbox Phishing Attack

Darktrace detected a malicious attempt to use Dropbox in a phishing attack in January 2024, when employees of a Darktrace customer received a seemingly innocuous email from a legitimate Dropbox address. Unbeknownst to the employees, however, a malicious link had been embedded in the contents of the email that could have led to a widespread compromise of the customer’s Software-as-a-Service (SaaS) environment. Fortunately for this customer, Darktrace / EMAIL quickly identified the suspicious emails and took immediate actions to stop them from being opened. If an email was accessed by an employee, Darktrace / IDENTITY was able to recognize any suspicious activity on the customer’s SaaS platform and bring it to the immediate detection of their security team.

Attack overview

Initial infection  

On January 25, 2024, Darktrace / EMAIL observed an internal user on a customer’s SaaS environment receiving an inbound email from ‘no-reply@dropbox[.]com’, a legitimate email address used by the Dropbox file storage service.  Around the same time 15 other employees also received the same email.

The email itself contained a link that would lead a user to a PDF file hosted on Dropbox, that was seemingly named after a partner of the organization. Although the email and the Dropbox endpoint were both legitimate, Darktrace identified that the PDF file contained a suspicious link to a domain that had never previously been seen on the customer’s environment, ‘mmv-security[.]top’.  

Darktrace understood that despite being sent from a legitimate service, the email’s initiator had never previously corresponded with anyone at the organization and therefore treated it with suspicion. This tactic, whereby a legitimate service sends an automated email using a fixed address, such as ‘no-reply@dropbox[.]com’, is often employed by threat actors attempting to convince SaaS users to follow a malicious link.

As there is very little to distinguish between malicious or benign emails from these types of services, they can often evade the detection of traditional email security tools and lead to disruptive account takeovers.

As a result of this detection, Darktrace / EMAIL immediately held the email, stopping it from landing in the employee’s inbox and ensuring the suspicious domain could not be visited. Open-source intelligence (OSINT) sources revealed that this suspicious domain was, in fact, a newly created endpoint that had been reported for links to phishing by multiple security vendors [2].

A few days later on January 29, the user received another legitimate email from ‘no-reply@dropbox[.]com’ that served as a reminder to open the previously shared PDF file. This time, however, Darktrace / EMAIL moved the email to the user’s junk file and applied a lock link action to prevent the user from directly following a potentially malicious link.

Figure 1: Anomaly indicators associated with the suspicious emails sent by ’no.reply@dropbox[.]com’, and the corresponding actions performed by Darktrace / EMAIL

Unfortunately for the customer in this case, their employee went on to open the suspicious email and follow the link to the PDF file, despite Darktrace having previously locked it.

Figure 2: Confirmation that the SaaS user read the suspicious email and followed the link to the PDF file hosted on Dropbox, despite it being junked and link locked.

Darktrace / NETWORK subsequently identified that the internal device associated with this user connected to the malicious endpoint, ‘mmv-security[.]top’, a couple of days later.

Further investigation into this suspicious domain revealed that it led to a fake Microsoft 365 login page, designed to harvest the credentials of legitimate SaaS account holders. By masquerading as a trusted organization, like Microsoft, these credential harvesters are more likely to appear trustworthy to their targets, and therefore increase the likelihood of stealing privileged SaaS account credentials.  

Figure 3: The fake Microsoft login page that the user was directed to after clicking the link in the PDF file.

Suspicious SaaS activity

In the days following the initial infection, Darktrace / IDENTITY began to observe a string of suspicious SaaS activity being performed by the now compromised Microsoft 365 account.

Beginning on January 31, Darktrace observed a number of suspicious SaaS logins from multiple unusual locations that had never previously accessed the account, including 73.95.165[.]113. Then on February 1, Darktrace detected unusual logins from the endpoints 194.32.120[.]40 and 185.192.70[.]239, both of which were associated with ExpressVPN indicating that threat actors may have been using a virtual private network (VPN) to mask their true location.

FIgure 4: Graph Showing several unusual logins from different locations observed by Darktrace/Apps on the affected SaaS account.

Interestingly, the threat actors observed during these logins appeared to use a valid multi-factor authentication (MFA) token, indicating that they had successfully bypassed the customer’s MFA policy. In this case, it appears likely that the employee had unknowingly provided the attackers with an MFA token or unintentionally approved a login verification request. By using valid tokens and meeting the necessary MFA requirements, threat actors are often able to remain undetected by traditional security tools that view MFA as the silver bullet. However, Darktrace’s anomaly-based approach to threat detection allows it to quickly identify unexpected activity on a device or SaaS account, even if it occurs with legitimate credentials and successfully passed authentication requirements, and bring it to the attention of the customer’s security team.

Shortly after, Darktrace observed an additional login to the SaaS account from another unusual location, 87.117.225[.]155, this time seemingly using the HideMyAss (HMA) VPN service. Following this unusual login, the actor was seen creating a new email rule on the compromised Outlook account. The new rule, named ‘….’, was intended to immediately move any emails from the organization’s accounts team directly to the ‘Conversation History’ mailbox folder. This is a tactic often employed by threat actors during phishing campaigns to ensure that their malicious emails (and potential responses to them) are automatically moved to less commonly visited mailbox folders in order to remain undetected on target networks. Furthermore, by giving this new email rule a generic name, like ‘….’ it is less likely to draw the attention of the legitimate account holder or the organizations security team.

Following this, Darktrace / EMAIL observed the actor sending updated versions of emails that had previously been sent by the legitimate account holder, with subject lines containing language like “Incorrect contract” and “Requires Urgent Review”, likely in an attempt to illicit some kind of follow-up action from the intended recipient.  This likely represented threat actors using the compromised account to send further malicious emails to the organization’s accounts team in order to infect additional accounts across the customer’s SaaS environment.

Unfortunately, Darktrace's Autonomous Response was not deployed in the customer’s SaaS environment in this instance, meaning that the aforementioned malicious activity did not lead to any mitigative actions to contain the compromise. Had Autonomous Response been enabled in fully autonomous mode at the time of the attack, it would have quickly moved to log out and disable the suspicious actor as soon as they had logged into the SaaS environment from an unusual location, effectively shutting down this account takeover attempt at the earliest opportunity.

Nevertheless, Darktrace / EMAIL's swift identification and response to the suspicious phishing emails, coupled with Darktrace / IDENTITY's detection of the unusual SaaS activity, allowed the customer’s security team to quickly identify the offending SaaS actor and take the account offline before the attack could escalate further

Conclusion

As organizations across the world continue to adopt third-party solutions like Dropbox into their day-to-day business operations, threat actors will, in turn, continue to seek ways to exploit these and add them to their arsenal. As illustrated in this example, it is relatively simple for attackers to abuse these legitimate services for malicious purposes, all while evading detection by endpoint users and security teams alike.

By leveraging these commonly used platforms, malicious actors are able to carry out disruptive cyber-attacks, like phishing campaigns, by taking advantage of legitimate, and seemingly trustworthy, infrastructure to host malicious files or links, rather than relying on their own infrastructure. While this tactic may bypass traditional security measures, Darktrace’s Self-Learning AI enables it to recognize unusual senders within an organization’s email environment, even if the email itself seems to have come from a legitimate source, and prevent them from landing in the target inbox. In the event that a SaaS account does become compromised, Darktrace is able to identify unusual login locations and suspicious SaaS activities and bring them to the attention of the customer for remediation.

In addition to the prompt identification of emerging threats, Darktrace's Autonomous Response is uniquely placed to take swift autonomous action against any suspicious activity detected within a customer’s SaaS environment, effectively containing any account takeover attempts in the first instance.

Credit to Ryan Traill, Threat Content Lead, Emily Megan Lim, Cyber Security Analyst

Appendices

Darktrace Model Detections  

- Model Breach: SaaS / Access::Unusual External Source for SaaS Credential Use

- Model Breach: SaaS / Unusual Activity::Multiple Unusual External Sources For SaaS Credential

- Model Breach: SaaS / Access::Unusual External Source for SaaS Credential Use

- Model Breach: SaaS / Access::Unusual External Source for SaaS Credential Use

- Model Breach: SaaS / Unusual Activity::Multiple Unusual SaaS Activities

- Model Breach: SaaS / Unusual Activity::Unusual MFA Auth and SaaS Activity

- Model Breach: SaaS / Compromise::Unusual Login and New Email Rule

- Model Breach: SaaS / Compliance::Anomalous New Email Rule

- Model Breach: SaaS / Compliance::New Email Rule

- Model Breach: SaaS / Compromise::SaaS Anomaly Following Anomalous Login

- Model Breach: Device / Suspicious Domain

List of Indicators of Compromise (IoCs)

Domain IoC

mmv-security[.]top’ - Credential Harvesting Endpoint

IP Address

73.95.165[.]113 - Unusual Login Endpoint

194.32.120[.]40 - Unusual Login Endpoint

87.117.225[.]155 - Unusual Login Endpoint

MITRE ATT&CK Mapping

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS

T1078.004 - Cloud Accounts

DISCOVERY

T1538 - Cloud Service Dashboard

RESOURCE DEVELOPMENT

T1586 - Compromise Accounts

CREDENTIAL ACCESS

T1539 - Steal Web Session Cookie

PERSISTENCE

T1137 - Outlook Rules

INITIAL ACCESS

T156.002 Spearphishing Link

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Ryan Traill
Analyst Content Lead
Watch the NIS2 Webinar
Book a 1-1 meeting with one of our experts
Get in touch
Share this article
Trending blogs
1
Our Annual Survey Reveals How Security Teams Are Adapting to AI-Powered Threats
Mar 4, 2025
2
Darktrace Releases Annual 2024 Threat Insights
Feb 19, 2025
3
From Hype to Reality: How AI is Transforming Cybersecurity Practices
Feb 10, 2025
4
From Containment to Remediation: Darktrace / CLOUD & Cado Reducing MTTR
Mar 6, 2025
5
RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal
Jan 14, 2025

More in this series

No items found.

Blog

/

Cloud

/

April 2, 2025

Fusing Vulnerability and Threat Data: Enhancing the Depth of Attack Analysis

Default blog imageDefault blog image

Cado Security, recently acquired by Darktrace, is excited to announce a significant enhancement to its data collection capabilities, with the addition of a vulnerability discovery feature for Linux-based cloud resources. According to Darktrace’s Annual Threat Report 2024, the most significant campaigns observed in 2024 involved the ongoing exploitation of significant vulnerabilities in internet-facing systems. Cado’s new vulnerability discovery capability further deepens its ability to provide extensive context to security teams, enabling them to make informed decisions about threats, faster than ever.

Deep context to accelerate understanding and remediation

Context is critical when understanding the circumstances surrounding a threat. It can also take many forms – alert data, telemetry, file content, business context (for example asset criticality, core function of the resource), and risk context, such as open vulnerabilities.

When performing an investigation, it is common practice to understand the risk profile of the resource impacted, specifically determining open vulnerabilities and how they may relate to the threat. For example, if an analyst is triaging an alert related to an internet-facing Webserver running Apache, it would greatly benefit the analyst to understand open vulnerabilities in the Apache version that is running, if any of them are exploitable, whether a fix is available, etc. This dataset also serves as an invaluable source when developing a remediation plan, identifying specific vulnerabilities to be prioritised for patching.

Data acquisition in Cado

Cado is the only platform with the ability to perform full forensic captures as well as utilize instant triage collection methods, which is why fusing host-based artifact data with vulnerability data is such an exciting and compelling development.

The vulnerability discovery feature can be run as part of an acquisition – full or triage – as well as independently using a fast ‘Scan only’ mode.

Figure 1: A fast vulnerability scan being performed on the acquired evidence

Once the acquisition has completed, the user will have access to a ‘Vulnerabilities’ table within their investigation, where they are able to view and filter open vulnerabilities (by Severity, CVE ID, Resource, and other properties), as well as pivot to the full Event Timeline. In the Event Timeline, the user will be able to identify whether there is any malicious, suspicious or other interesting activity surrounding the vulnerable package, given the unified timeline presents a complete chronological dataset of all evidence and context collected.

Figure 2: Vulnerabilities discovered on the acquired evidence
Figure 3: Pivot from the Vulnerabilities table to the Event Timeline provides an in-depth view of file and process data associated with the vulnerable package selected. In this example, Apache2.

Future work

In the coming months, we’ll be releasing initial versions of highly anticipated integrations between Cado and Darktrace, including the ability to ingest Darktrace / CLOUD alerts which will automatically trigger a forensic capture (as well as a vulnerability discovery) of the impacted assets.

To learn more about how Cado and Darktrace will combine forces, request a demo today.

Continue reading
About the author
Paul Bottomley
Director of Product Management, Cado

Blog

/

OT

/

March 28, 2025

Darktrace Recognized as the Only Visionary in the 2025 Gartner® Magic Quadrant™ for CPS Protection Platforms

Default blog imageDefault blog image

We are thrilled to announce that Darktrace has been named the only Visionary in the inaugural Gartner® Magic Quadrant™ for Cyber-Physical Systems (CPS) Protection Platforms. We feel This recognition highlights Darktrace’s AI-driven approach to securing industrial environments, where conventional security solutions struggle to keep pace with increasing cyber threats.

A milestone for CPS security

It's our opinion that the first-ever Gartner Magic Quadrant for CPS Protection Platforms reflects a growing industry shift toward purpose-built security solutions for critical infrastructure. As organizations integrate IT, OT, and cloud-connected systems, the cyber risk landscape continues to expand. Gartner evaluated 17 vendors based on their Ability to Execute and Completeness of Vision, establishing a benchmark for security leaders looking to enhance cyber resilience in industrial environments.

We believe the Gartner recognition of Darktrace as the only Visionary reaffirms the platform’s ability to proactively defend against cyber risks through AI-driven anomaly detection, autonomous response, and risk-based security strategies. With increasingly sophisticated attacks targeting industrial control systems, organizations need a solution that continuously evolves to defend against both known and unknown threats.

AI-driven security for CPS environments

Securing CPS environments requires an approach that adapts to the dynamic nature of industrial operations. Traditional security tools rely on static signatures and predefined rules, leaving gaps in protection against novel and sophisticated threats. Darktrace / OT takes a different approach, leveraging Self-Learning AI to detect and neutralize threats in real time, even in air-gapped or highly regulated environments.

Darktrace / OT continuously analyzes network behaviors to establish a deep understanding of what is “normal” for each industrial environment. This enables it to autonomously identify deviations that signal potential cyber threats, providing early warning and proactive defense before attacks can disrupt operations. Unlike rule-based security models that require constant manual updates, Darktrace / OT improves with the environment, ensuring long-term resilience against emerging cyber risks.

Bridging the IT-OT security gap

A major challenge for organizations protecting CPS environments is the disconnect between IT and OT security. While IT security has traditionally focused on data

protection and compliance, OT security is driven by operational uptime and safety, leading to siloed security programs that leave critical gaps in visibility and response.

Darktrace / OT eliminates these silos by providing unified visibility across IT, OT, and IoT assets, ensuring that security teams have a complete picture of their attack surface. Its AI-driven approach enables cross-domain threat detection, recognizing risks that move laterally between IT and OT environments. By seamlessly integrating with existing security architectures, Darktrace / OT helps organizations close security gaps without disrupting industrial processes.

Proactive OT risk management and resilience

Beyond detection and response, Darktrace / OT strengthens organizations’ ability to manage cyber risk proactively. By mapping vulnerabilities to real-world attack paths, it prioritizes remediation actions based on actual exploitability and business impact, rather than relying on isolated CVE scores. This risk-based approach enables security teams to focus resources where they matter most, reducing overall exposure to cyber threats.

With autonomous threat response capabilities, Darktrace / OT not only identifies risks but also contains them in real time, preventing attackers from escalating intrusions. Whether mitigating ransomware, insider threats, or sophisticated nation-state attacks, Darktrace / OT ensures that industrial environments remain secure, operational, and resilient, no matter how threats evolve.

AI-powered incident response and SOC automation

Security teams are facing an overwhelming volume of alerts, making it difficult to prioritize threats and respond effectively. Darktrace / OT’s Cyber AI Analyst acts as a force multiplier for security teams by automating threat investigation, alert triage, and response actions. By mimicking the workflow of a human SOC analyst, Cyber AI Analyst provides contextual insights that accelerate incident response and reduce the manual workload on security teams.

With 24/7 autonomous monitoring, Darktrace / OT ensures that threats are continuously detected and investigated in real time. Whether facing ransomware, insider threats, or sophisticated nation-state attacks, organizations can rely on AI-driven security to contain threats before they disrupt operations.

Trusted by customers: Darktrace / OT recognized in Gartner Peer Insights

Source: Gartner Peer Insights (Oct 28th)

Beyond our recognition in the Gartner Magic Quadrant, we feel Darktrace / OT is one of the highest-rated CPS security solutions on Gartner Peer Insights, reflecting strong customer trust and validation. With a 4.9/5 overall rating and the highest "Willingness to Recommend" score among CPS vendors, organizations across critical infrastructure and industrial sectors recognize the impact of our AI-driven security approach. Source: Gartner Peer Insights (Oct 28th)

This strong customer endorsement underscores why leading enterprises trust Darktrace / OT to secure their CPS environments today and in the future.

Redefining the future of CPS security

It's our view that Darktrace’s recognition as the only Visionary in the Gartner Magic Quadrant for CPS Protection Platforms validates its leadership in next-generation industrial security. As cyber threats targeting critical infrastructure continue to rise, organizations must adopt AI-driven security solutions that can adapt, respond, and mitigate risks in real time.

We believe this recognition reinforces our commitment to innovation and our mission to secure the world’s most essential systems. This recognition reinforces our commitment to innovation and our mission to secure the world’s most essential systems.

® Download the full Gartner Magic Quadrant for CPS Protection Platforms

® Request a demo to see Darktrace OT in action.

Gartner, Magic Quadrant for CPS Protection Platforms , Katell Thielemann, Wam Voster, Ruggero Contu 12 February 2025

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner and Magic Quadrant and Peer Insights are a registered trademark, of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

Continue reading
About the author
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Your data. Our AI.
Elevate your network security with Darktrace AI