Blog
/
Email
/
March 8, 2024

Malicious Use of Dropbox in Phishing Attacks

Understand the tactics of phishing attacks that exploit Dropbox and learn how to recognize and mitigate these emerging cybersecurity threats.
Written by
Ryan Traill
Analyst Content Lead
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Ryan Traill
Analyst Content Lead
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
08
Mar 2024

Evolving Phishing Attacks

While email has long been the vector of choice for carrying out phishing attacks, threat actors, and their tactics, techniques, and procedures (TTPs), are continually adapting and evolving to keep pace with the emergence of new technologies that represent new avenues to exploit. As previously discussed by the Darktrace analyst team, several novel threats relating to the abuse of commonly used services and platforms were observed throughout 2023, including the rise of QR Code Phishing and the use of Microsoft SharePoint and Teams in phishing campaigns.

Dropbox Phishing Attacks

It should, therefore, come as no surprise that the malicious use of other popular services has gained traction in recent years, including the cloud storage platform Dropbox.

With over 700 million registered users [1], Dropbox has established itself as a leading cloud storage service celebrated for its simplicity in file storage and sharing, but in doing so it has also inadvertently opened a new avenue for threat actors to exploit. By leveraging the legitimate infrastructure of Dropbox, threat actors are able to carry out a range of malicious activities, from convincing their targets to unknowingly download malware to revealing sensitive information like login credentials.

Darktrace Detection of Dropbox Phishing Attack

Darktrace detected a malicious attempt to use Dropbox in a phishing attack in January 2024, when employees of a Darktrace customer received a seemingly innocuous email from a legitimate Dropbox address. Unbeknownst to the employees, however, a malicious link had been embedded in the contents of the email that could have led to a widespread compromise of the customer’s Software-as-a-Service (SaaS) environment. Fortunately for this customer, Darktrace / EMAIL quickly identified the suspicious emails and took immediate actions to stop them from being opened. If an email was accessed by an employee, Darktrace / IDENTITY was able to recognize any suspicious activity on the customer’s SaaS platform and bring it to the immediate detection of their security team.

Attack overview

Initial infection  

On January 25, 2024, Darktrace / EMAIL observed an internal user on a customer’s SaaS environment receiving an inbound email from ‘no-reply@dropbox[.]com’, a legitimate email address used by the Dropbox file storage service.  Around the same time 15 other employees also received the same email.

The email itself contained a link that would lead a user to a PDF file hosted on Dropbox, that was seemingly named after a partner of the organization. Although the email and the Dropbox endpoint were both legitimate, Darktrace identified that the PDF file contained a suspicious link to a domain that had never previously been seen on the customer’s environment, ‘mmv-security[.]top’.  

Darktrace understood that despite being sent from a legitimate service, the email’s initiator had never previously corresponded with anyone at the organization and therefore treated it with suspicion. This tactic, whereby a legitimate service sends an automated email using a fixed address, such as ‘no-reply@dropbox[.]com’, is often employed by threat actors attempting to convince SaaS users to follow a malicious link.

As there is very little to distinguish between malicious or benign emails from these types of services, they can often evade the detection of traditional email security tools and lead to disruptive account takeovers.

As a result of this detection, Darktrace / EMAIL immediately held the email, stopping it from landing in the employee’s inbox and ensuring the suspicious domain could not be visited. Open-source intelligence (OSINT) sources revealed that this suspicious domain was, in fact, a newly created endpoint that had been reported for links to phishing by multiple security vendors [2].

A few days later on January 29, the user received another legitimate email from ‘no-reply@dropbox[.]com’ that served as a reminder to open the previously shared PDF file. This time, however, Darktrace / EMAIL moved the email to the user’s junk file and applied a lock link action to prevent the user from directly following a potentially malicious link.

Figure 1: Anomaly indicators associated with the suspicious emails sent by ’no.reply@dropbox[.]com’, and the corresponding actions performed by Darktrace / EMAIL

Unfortunately for the customer in this case, their employee went on to open the suspicious email and follow the link to the PDF file, despite Darktrace having previously locked it.

Figure 2: Confirmation that the SaaS user read the suspicious email and followed the link to the PDF file hosted on Dropbox, despite it being junked and link locked.

Darktrace / NETWORK subsequently identified that the internal device associated with this user connected to the malicious endpoint, ‘mmv-security[.]top’, a couple of days later.

Further investigation into this suspicious domain revealed that it led to a fake Microsoft 365 login page, designed to harvest the credentials of legitimate SaaS account holders. By masquerading as a trusted organization, like Microsoft, these credential harvesters are more likely to appear trustworthy to their targets, and therefore increase the likelihood of stealing privileged SaaS account credentials.  

Figure 3: The fake Microsoft login page that the user was directed to after clicking the link in the PDF file.

Suspicious SaaS activity

In the days following the initial infection, Darktrace / IDENTITY began to observe a string of suspicious SaaS activity being performed by the now compromised Microsoft 365 account.

Beginning on January 31, Darktrace observed a number of suspicious SaaS logins from multiple unusual locations that had never previously accessed the account, including 73.95.165[.]113. Then on February 1, Darktrace detected unusual logins from the endpoints 194.32.120[.]40 and 185.192.70[.]239, both of which were associated with ExpressVPN indicating that threat actors may have been using a virtual private network (VPN) to mask their true location.

FIgure 4: Graph Showing several unusual logins from different locations observed by Darktrace/Apps on the affected SaaS account.

Interestingly, the threat actors observed during these logins appeared to use a valid multi-factor authentication (MFA) token, indicating that they had successfully bypassed the customer’s MFA policy. In this case, it appears likely that the employee had unknowingly provided the attackers with an MFA token or unintentionally approved a login verification request. By using valid tokens and meeting the necessary MFA requirements, threat actors are often able to remain undetected by traditional security tools that view MFA as the silver bullet. However, Darktrace’s anomaly-based approach to threat detection allows it to quickly identify unexpected activity on a device or SaaS account, even if it occurs with legitimate credentials and successfully passed authentication requirements, and bring it to the attention of the customer’s security team.

Shortly after, Darktrace observed an additional login to the SaaS account from another unusual location, 87.117.225[.]155, this time seemingly using the HideMyAss (HMA) VPN service. Following this unusual login, the actor was seen creating a new email rule on the compromised Outlook account. The new rule, named ‘….’, was intended to immediately move any emails from the organization’s accounts team directly to the ‘Conversation History’ mailbox folder. This is a tactic often employed by threat actors during phishing campaigns to ensure that their malicious emails (and potential responses to them) are automatically moved to less commonly visited mailbox folders in order to remain undetected on target networks. Furthermore, by giving this new email rule a generic name, like ‘….’ it is less likely to draw the attention of the legitimate account holder or the organizations security team.

Following this, Darktrace / EMAIL observed the actor sending updated versions of emails that had previously been sent by the legitimate account holder, with subject lines containing language like “Incorrect contract” and “Requires Urgent Review”, likely in an attempt to illicit some kind of follow-up action from the intended recipient.  This likely represented threat actors using the compromised account to send further malicious emails to the organization’s accounts team in order to infect additional accounts across the customer’s SaaS environment.

Unfortunately, Darktrace's Autonomous Response was not deployed in the customer’s SaaS environment in this instance, meaning that the aforementioned malicious activity did not lead to any mitigative actions to contain the compromise. Had Autonomous Response been enabled in fully autonomous mode at the time of the attack, it would have quickly moved to log out and disable the suspicious actor as soon as they had logged into the SaaS environment from an unusual location, effectively shutting down this account takeover attempt at the earliest opportunity.

Nevertheless, Darktrace / EMAIL's swift identification and response to the suspicious phishing emails, coupled with Darktrace / IDENTITY's detection of the unusual SaaS activity, allowed the customer’s security team to quickly identify the offending SaaS actor and take the account offline before the attack could escalate further

Conclusion

As organizations across the world continue to adopt third-party solutions like Dropbox into their day-to-day business operations, threat actors will, in turn, continue to seek ways to exploit these and add them to their arsenal. As illustrated in this example, it is relatively simple for attackers to abuse these legitimate services for malicious purposes, all while evading detection by endpoint users and security teams alike.

By leveraging these commonly used platforms, malicious actors are able to carry out disruptive cyber-attacks, like phishing campaigns, by taking advantage of legitimate, and seemingly trustworthy, infrastructure to host malicious files or links, rather than relying on their own infrastructure. While this tactic may bypass traditional security measures, Darktrace’s Self-Learning AI enables it to recognize unusual senders within an organization’s email environment, even if the email itself seems to have come from a legitimate source, and prevent them from landing in the target inbox. In the event that a SaaS account does become compromised, Darktrace is able to identify unusual login locations and suspicious SaaS activities and bring them to the attention of the customer for remediation.

In addition to the prompt identification of emerging threats, Darktrace's Autonomous Response is uniquely placed to take swift autonomous action against any suspicious activity detected within a customer’s SaaS environment, effectively containing any account takeover attempts in the first instance.

Credit to Ryan Traill, Threat Content Lead, Emily Megan Lim, Cyber Security Analyst

Appendices

Darktrace Model Detections  

- Model Breach: SaaS / Access::Unusual External Source for SaaS Credential Use

- Model Breach: SaaS / Unusual Activity::Multiple Unusual External Sources For SaaS Credential

- Model Breach: SaaS / Access::Unusual External Source for SaaS Credential Use

- Model Breach: SaaS / Access::Unusual External Source for SaaS Credential Use

- Model Breach: SaaS / Unusual Activity::Multiple Unusual SaaS Activities

- Model Breach: SaaS / Unusual Activity::Unusual MFA Auth and SaaS Activity

- Model Breach: SaaS / Compromise::Unusual Login and New Email Rule

- Model Breach: SaaS / Compliance::Anomalous New Email Rule

- Model Breach: SaaS / Compliance::New Email Rule

- Model Breach: SaaS / Compromise::SaaS Anomaly Following Anomalous Login

- Model Breach: Device / Suspicious Domain

List of Indicators of Compromise (IoCs)

Domain IoC

mmv-security[.]top’ - Credential Harvesting Endpoint

IP Address

73.95.165[.]113 - Unusual Login Endpoint

194.32.120[.]40 - Unusual Login Endpoint

87.117.225[.]155 - Unusual Login Endpoint

MITRE ATT&CK Mapping

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS

T1078.004 - Cloud Accounts

DISCOVERY

T1538 - Cloud Service Dashboard

RESOURCE DEVELOPMENT

T1586 - Compromise Accounts

CREDENTIAL ACCESS

T1539 - Steal Web Session Cookie

PERSISTENCE

T1137 - Outlook Rules

INITIAL ACCESS

T156.002 Spearphishing Link

Written by
Ryan Traill
Analyst Content Lead
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Ryan Traill
Analyst Content Lead

Phantom Footprints: Tracking GhostSocks Malware

Network
March 26, 2026
Isabel Evans
Cyber Analyst
Watch the NIS2 Webinar
Trending blogs
1
Darktrace Recognized as the Only Visionary in the 2026 Gartner® Magic Quadrant™ for CPS Protection Platforms
Mar 20, 2026
2
What the Darktrace Annual Threat Report 2026 Means for Security Leaders
Feb 26, 2026
3
State of AI Cybersecurity 2026: 92% of security professionals concerned about the impact of AI agents
Mar 26, 2026
4
Beyond MFA: Detecting Adversary-in-the-Middle Attacks and Phishing with Darktrace
Dec 15, 2025
5
Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom
Mar 24, 2026

More in this series

No items found.
Continue reading
Email
March 24, 2026

Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom

Introducing the adaptive era of email security: a unified platform that connects personalized coaching, collaboration tools, and user behavior into a self-improving defense system.
Carlos Gray
Senior Product Marketing Manager, Email
Read more
Email
December 18, 2025

Why Organizations are Moving to Label-free, Behavioral DLP for Outbound Email

Modern data loss doesn’t always look like a regex match. It can look like everyday communication slightly out of context. Here’s how a domain specific language model paired with behavioral learning protects labeled and unlabeled data without slowing business down.
Carlos Gray
Senior Product Marketing Manager, Email
Read more
Email
December 15, 2025

Beyond MFA: Detecting Adversary-in-the-Middle Attacks and Phishing with Darktrace

During a customer trial of Darktrace / EMAIL and Darktrace / IDENTITY, Darktrace detected an adversary-in-the-middle (AiTM) attack that compromised a user’s Office 365 account via a business email compromise (BEC) phishing email. Following the breach, the compromised account was used to launch both internal and external phishing campaigns.
David Ison
Cyber Analyst
Read more

Blog

/

Network

/

April 2, 2026

How Chinese-Nexus Cyber Operations Have Evolved – And What It Means For Cyber Risk and Resilience 

Chinese-Nexus Cyber OperationsDefault blog imageDefault blog image

Cybersecurity has traditionally organized risk around incidents, breaches, campaigns, and threat groups. Those elements still matter—but if we fixate on individual incidents, we risk missing the shaping of the entire ecosystem. Nation‑state–aligned operators are increasingly using cyber operations to establish long-term strategic leverage, not just to execute isolated attacks or short‑term objectives.  

Our latest research, Crimson Echo, shifts the lens accordingly. Instead of dissecting campaigns, malware families, or actor labels as discrete events, the threat research team analyzed Chinese‑nexus activity as a continuum of behaviors over time. That broader view reveals how these operators position themselves within environments: quietly, patiently, and persistently—often preparing the ground long before any recognizable “incident” occurs.  

How Chinese-nexus cyber threats have changed over time

Chinese-nexus cyber activity has evolved in four phases over the past two decades. This ranges from early, high-volume operations in the 1990s and early 2000s to more structured, strategically-aligned activity in the 2010s, and now toward highly adaptive, identity-centric intrusions.  

Today’s phase is defined by scale, operational restraint, and persistence. Attackers are establishing access, evaluating its strategic value, and maintaining it over time. This reflects a broader shift: cyber operations are increasingly integrated into long-term economic and geopolitical strategies. Access to digital environments, specifically those tied to critical national infrastructure, supply chains, and advanced technology, has become a form of strategic leverage for the long-term.  

How Darktrace analysts took a behavioral approach to a complex problem

One of the challenges in analyzing nation-state cyber activity is attribution. Traditional approaches often rely on tracking specific threat groups, malware families, or infrastructure. But these change constantly, and in the case of Chinese-nexus operations, they often overlap.

Crimson Echo is the result of a retrospective analysis of three years of anomalous activity observed across the Darktrace fleet between July 2022 and September 2025. Using behavioral detection, threat hunting, open-source intelligence, and a structured attribution framework (the Darktrace Cybersecurity Attribution Framework), the team identified dozens of medium- to high-confidence cases and analyzed them for recurring operational patterns.  

This long-horizon, behavior-centric approach allows Darktrace to identify consistent patterns in how intrusions unfold, reinforcing that behavioral patterns that matter.  

What the data shows

Several clear trends emerged from the analysis:

  • Targeting is concentrated in strategically important sectors. Across the dataset, 88% of intrusions occurred in organizations classified as critical infrastructure, including transportation, critical manufacturing, telecommunications, government, healthcare, and Information Technology (IT) services.  
  • Strategically important Western economies are a primary focus. The US alone accounted for 22.5% of observed cases, and when combined with major European economies including Germany, Italy, Spain and the UK, over half of all intrusions (55%) were concentrated in these regions.  
  • Nearly 63% of intrusions of intrusions began with the exploitation of internet-facing systems, reinforcing the continued risk posed by externally exposed infrastructure.  

Two models of cyber operations

Across the dataset, Chinese-nexus activity followed two operational models.  

The first is best described as “smash and grab.” These are short-horizon intrusions optimized for speed. Attackers move quickly – often exfiltrating data within 48 hours – and prioritize scale over stealth. The median duration of these compromises is around 10 days. It’s clear they are willing to risk detection for short-term gain.  

The second is “low and slow.” These operations were less prevalent in the dataset, but potentially more consequential. Here, attackers prioritize persistence, establishing durable access through identity systems and legitimate administrative tools, so they can maintain access undetected for months or even years. In one notable case, the actor had fully compromised the environment and established persistence, only to resurface in the environment more than 600 days after. The operational pause underscores both the depth of the intrusion and the actor’s long‑term strategic intent. This suggests that cyber access is a strategic asset to preserve and leverage over time, and we observed these attacks most often inin sectors of the high strategic importance.  

It’s important to note that the same operational ecosystem can employ both models concurrently, selecting the appropriate model based on target value, urgency, intended access. The observation of a “smash and grab” model should not be solely interpreted as a failure of tradecraft, but instead an operational choice likely aligned with objectives. Where “low and slow” operations are optimized for patience, smash and grab is optimized for speed; both seemingly are deliberate operational choices, not necessarily indicators of capability.  

Rethinking cyber risk

For many organizations, cyber risk is still framed as a series of discrete events. Something happens, it is detected and contained, and the organization moves on. But persistent access, particularly in deeply interconnected environments that span cloud, identity-based SaaS and agentic systems, and complex supply chain networks, creates a major ongoing exposure risk. Even in the absence of disruption or data theft, that access can provide insight into operations, dependencies, and strategic decision-making. Cyber risk increasingly resembles long-term competitive intelligence.  

This has impact beyond the Security Operations Center. Organizations need to shift how they think about governance, visibility, and resilience, and treat cyber exposure as a structural business risk instead of an incident response challenge.  

What comes next

The goal of this research is to provide a clearer understanding of how these operations work, so defenders can recognize them earlier and respond more effectively. That includes shifting from tracking indicators to understanding behaviors, treating identity providers as critical infrastructure risks, expanding supplier oversight, investing in rapid containment capabilities, and more.  

Learn more about the findings of Darktrace’s latest research, Crimson Echo: Understanding Chinese-nexus Cyber Operations Through Behavioral Analysis, by downloading the full report and summaries for business leaders, CISOs, and SOC analysts here.  

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

Proactive Security

/

April 1, 2026

AI-powered security for a rapidly growing grocery enterprise

Default blog imageDefault blog image

Protecting a complex, fast-growing retail organization

For this multi-banner grocery holding organization, cybersecurity is considered an essential business enabler, protecting operations, growth, and customer trust. The organization’s lean IT team manages a highly distributed environment spanning corporate offices, 100+ stores, distribution centers and  thousands of endpoints, users, and third-party connections.

Mergers and acquisitions fueled rapid growth, but they also introduced escalating complexity that constrained visibility into users, endpoints, and security risks inherited across acquired environments.

Closing critical visibility gaps with limited resources

Enterprise-wide visibility is a top priority for the organization, says the  Vice President of Information Technology. “We needed insights beyond the perimeter into how users and devices were behaving across the organization.”

A security breach that occurred before the current IT leadership joined the company reinforced the urgency and elevated cybersecurity to an executive-level priority with a focus on protecting customer trust. The goal was to build a multi-layered security model that could deliver autonomous, enterprise-wide protection without adding headcount.

Managing cyber risk in M&A

Mergers and acquisitions are central to the grocery holding company’s growth strategy. But each transaction introduces new cyber risk, including inherited network architectures, inconsistent tooling, excessive privileges, and remnants of prior security incidents that were never fully remediated.

“Our M&A targets range from small chains with a single IT person and limited cyber tools to large chains with more developed IT teams, toolsets and instrumentation,” explains the VP of IT. “We needed a fast, repeatable, and reliable way to assess cyber risk before transactions closed.”

AI-driven security built for scale, speed, and resilience

Rather than layering additional point tools onto an already complex environment, the retailer adopted the Darktrace ActiveAI Security Platform™ in 2020 as part of a broader modernization effort to improve resilience, close visibility gaps, and establish a security foundation that could scale with growth.

“Darktrace’s AI-driven approach provided the ideal solution to these challenges,” shares the VP of IT. “It has empowered our organization to maintain a robust security strategy, ensuring the protection of our network and the smooth operation of our business.”

Enterprise-wide visibility into traffic  

By monitoring both north-south and east-west traffic and applying Self-Learning AI, Darktrace develops a dynamic understanding of how users and devices normally behave across locations, roles, and systems.

“Modeling normal behavior across the environment enables us to quickly spot behavior that doesn’t fit. Even subtle changes that could signal a threat but appear legitimate at first glance,” explains the VP of IT.

Real-time threat containment, 24/7

Adopting autonomous response has created operational breathing room for the security team, says the company’s Cybersecurity  Engineer.

“Early on, we enabled full Darktrace autonomous mode and we continue to do so today,” shares the IT Security Architect. “Allowing the technology to act first gives us the time we need to investigate incidents during business hours without putting the business at risk.”

Unified, actionable view of security ecosystem

The grocery retailer integrated Darktrace with its existing security ecosystem of firewalls, vulnerability management tools, and endpoint detection and response, and the VP of IT described the adoption process as “exceptionally smooth.”

The team can correlate enterprise-wide security data for a unified and actionable picture of all activity and risk. Using this “single pane of glass” approach, the retailer trains Level 1 and Level 2 operations staff to assist with investigations and user follow-ups, effectively extending the reach of the security function without expanding headcount.

From reactive defense to security at scale

With Darktrace delivering continuous visibility, autonomous containment, and integrated security workflows, the organization has strengthened its cybersecurity posture while improving operational efficiency. The result is a security model that not only reduces risk, but also supports growth, resilience, and informed decision-making at the business level.

Faster detection, faster resolution

With autonomous detection and response, the retailer can immediately contain risk while analysts investigate and validate activity. With this approach, the company can maintain continuous protection even outside business hours and reduce the chance of lateral spread across systems or locations.

Enterprise-grade protection with a lean team

From cloud environments to clients to SaaS collaboration tools, Darktrace provides holistic autonomous AI defense, processing petabytes of the organization’s network traffic and investigating millions of individual events that could be indicative of a wider incident.

Today, Darktrace autonomously conducts the majority of all investigations on behalf of the IT team, escalating only a tiny fraction for analyst review. The impact has been profound, freeing analysts from endless alerts and hours of triage so they can focus on more valuable, proactive, and gratifying work.

“From an operational perspective, Darktrace gives us time back,” says the Cybersecurity Engineer. More importantly, says the VP of IT, “it gives us peace of mind that we’re protected even if we’re not actively monitoring every alert.”

A strategic input for M&A decision-making

One of the most strategic outcomes has been the role of cybersecurity on M&A. 90 days prior to closing a transaction, the security team uses Darktrace alongside other tools to perform a cyber risk assessment of the potential acquisition. “Our approach with Darktrace has consistently identified gaps and exposed risks,” says the VP of IT, including:

  • Remnants of previous incidents that were never fully remediated
  • Network configurations with direct internet exposure
  • Excessive administrative privileges in Active Directory or on critical hosts

While security findings may not alter deal timelines, the VP of IT says they can have enormous business implications. “With early visibility into these risks, we can reduce exposure to inherited cyber threats, strengthen our position during negotiations, and establish clear remediation requirements.”

A security strategy built to evolve with the business

As the holding group expands its cloud footprint, it will extend Darktrace protections into Azure, applying the same AI-driven visibility and autonomous response to cloud workloads. The VP of IT says Darktrace's evolving capabilities will be instrumental in addressing the organization’s future cybersecurity needs and ability to adapt to the dynamic nature of cloud security.

“With Darktrace’s AI-driven approach, we have moved beyond reactive defense, establishing a resilient security foundation for confident expansion and modernization.”

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI