Adversaries may use Dropbox to exfiltrate data or share malicious files as part of business email compromise tactics. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exfiltration channels and mitigate BEC attacks early.
KQL Query
CloudAppEvents
| where ActionType in ("Added users and/or groups to shared file/folder", "Invited user to Dropbox and added them to shared file/folder")
| where Application == "Dropbox"
| where ObjectType == "File"
| extend FileShared = tostring(ObjectName)
| where isnotempty(FileShared)
| mv-expand ActivityObjects
| where ActivityObjects.Type == "Account" and ActivityObjects.Role == "To"
| extend SharedBy = AccountId
| extend UserSharedWith = tostring(ActivityObjects.Name)
| summarize dcount(UserSharedWith) by FileShared, AccountObjectId
| where dcount_UserSharedWith >= 20
id: 6e056084-8951-460d-93f9-525880062de9
name: BEC - File sharing tactics - Dropbox
description: |
This query helps hunting for BEC - File sharing tactics - Dropbox
description-detailed: |
This query helps hunting for BEC - File sharing tactics - Dropbox.
It highlights that highlights that a file hosted on Dropbox has been shared with multiple participants.
Shared by Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- LateralMovement
relevantTechniques:
- T1021
query: |
CloudAppEvents
| where ActionType in ("Added users and/or groups to shared file/folder", "Invited user to Dropbox and added them to shared file/folder")
| where Application == "Dropbox"
| where ObjectType == "File"
| extend FileShared = tostring(ObjectName)
| where isnotempty(FileShared)
| mv-expand ActivityObjects
| where ActivityObjects.Type == "Account" and ActivityObjects.Role == "To"
| extend SharedBy = AccountId
| extend UserSharedWith = tostring(ActivityObjects.Name)
| summarize dcount(UserSharedWith) by FileShared, AccountObjectId
| where dcount_UserSharedWith >= 20
version: 1.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled Dropbox Backup Job
Description: A legitimate scheduled backup job is using Dropbox to sync critical system files.
Filter/Exclusion: process.name != "dropbox" OR process.name != "dropbox.exe" OR process.parent.name != "task scheduler"
Scenario: Admin User Uploading Configuration Files
Description: A system administrator is uploading configuration files to a shared Dropbox folder for team access.
Filter/Exclusion: user.name != "admin_user" OR file.path != "shared/configs"
Scenario: Dropbox Integration with Internal Tools
Description: An internal tool (e.g., Jenkins, Ansible) is using Dropbox API to store build artifacts or logs.
Filter/Exclusion: process.name != "ansible" OR process.name != "jenkins" OR process.parent.name != "dropbox"
Scenario: Dropbox Sync for Development Environment
Description: Developers are syncing code repositories via Dropbox for collaboration in a development environment.
Filter/Exclusion: file.path != "dev/repo" OR user.name != "dev_team"
Scenario: Dropbox Used for File Sharing Between Teams
Description: Teams are using Dropbox to share files internally, which is a common and legitimate practice.
Filter/Exclusion: file.path != "shared/team_files" OR user.name != "team_a" AND user.name != "team_b"