Adversaries may use Dropbox links hosted on third-party sites to exfiltrate data or deploy malware by masquerading as legitimate file downloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or malware distribution channels leveraging trusted file-sharing services.
KQL Query
DeviceFileEvents
| where
Timestamp > ago(7d)
and FileOriginUrl startswith "https://dl.dropboxusercontent.com/"
and isnotempty(FileOriginReferrerUrl)
and FileOriginReferrerUrl !startswith "https://www.dropbox.com/"
| project FileOriginReferrerUrl, FileName
id: de93670b-a1db-4c8c-80aa-5b3146428631
name: Dropbox downloads linked from other site
description: |
This query looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site.
File sharing sites such as Dropbox are often used for hosting malware on a reputable site.
Read more about download URL data and about this attack vector in this blog post:.
Https://techcommunity.microsoft.com/t5/Threat-Intelligence/Hunting-tip-of-the-month-Browser-downloads/td-p/220454.
Tags: #DownloadUrl, #Referer, #Dropbox.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
query: |
DeviceFileEvents
| where
Timestamp > ago(7d)
and FileOriginUrl startswith "https://dl.dropboxusercontent.com/"
and isnotempty(FileOriginReferrerUrl)
and FileOriginReferrerUrl !startswith "https://www.dropbox.com/"
| project FileOriginReferrerUrl, FileName
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled Backup Job Downloading from Dropbox
Description: A system backup tool (e.g., Veeam, Acronis) is configured to download a backup script or configuration file from Dropbox as part of a scheduled job.
Filter/Exclusion: Exclude file downloads initiated by known backup tools (e.g., process.name = "veeam" or process.name = "acronis") or check for scheduled task execution context.
Scenario: Admin Using Dropbox Link for Internal File Sharing
Description: An admin shares a Dropbox link internally (e.g., via email or a company portal) to distribute a legitimate file (e.g., a policy document or software update).
Filter/Exclusion: Exclude downloads originating from internal IP ranges or from known admin tools (e.g., process.name = "powershell.exe" with admin privileges).
Scenario: CI/CD Pipeline Fetching Configuration from Dropbox
Description: A CI/CD tool (e.g., Jenkins, GitLab CI) pulls a configuration file or secret from Dropbox during a pipeline run.
Filter/Exclusion: Exclude file downloads from known CI/CD processes (e.g., process.name = "jenkins.exe" or process.name = "gitlab-runner") or check for pipeline execution context.
Scenario: User Downloading a File via a Bookmarklet or Bookmark
Description: A user clicks on a bookmark or bookmarklet that redirects to a Dropbox link, resulting in a download of a legitimate file (e.g., a PDF or document).
Filter/Exclusion: Exclude downloads from known bookmarklet scripts or user-initiated actions with a short time window (e.g., within 5 seconds of a browser action).
Scenario: Dropbox Integration for Application Configuration
Description: An application (e.g., a custom app or