Abnormal Attack Stories: COVID-19 Relief Phishing Through Dropbox Transfer

June 10, 2020

Abnormal Security

Abnormal Security

In this attack, attackers impersonate the government efforts to provide relief funds to small business owners in order to steal personal information.

Quick Summary

  • Platform: Dropbox Transfer
  • # Mailboxes: < 5,000
  • Email Gateway: Dropbox
  • Victims: Small Business Owners
  • Payload: Phishing
  • Technique: Impersonation

What was the attack?

  • Setup: This attack is attempting to exploit current efforts by the government to provide relief funds for small business owners affected by COVID-19 closures and shelter-in-place orders. Although the requirements vary by country, applicants do have to provide documents proving their eligibility. Since applicants are expecting email correspondence, this provides attackers with a unique opportunity to impersonate legitimate authorities and extract sensitive information from customers.
  • Email attack: The email itself is an automated message from the sender “no-reply@dropbox.com” which is an official Dropbox domain. The body contains a link to the file “COVID-19-Relief-Payment.PDF” with information about the size of the file, a brief description of the file, and an expiration date.
  • Payload: This attack is a two-step process.
    • The first step is the link provided in the email that leads to a standard dropbox transfer landing page with the enablement to download the file. After clicking on the download button, the page is redirected to a phishing landing page.
    • In the second step, the landing page contains an O365 image with a button to “Access Document”. This is where the intent is revealed, which is to gain access to the user’s Microsoft credentials.
  • Result: The moment the end-user inputs their credentials into the form provided, their Microsoft credentials on all accounts are compromised. Ultimately, this can lead to financial loss for the organization.

Why is this attack effective?

  • Urgency: The message “Heads up, this transfer expires in 4 days on June 10, 2020.” communicates to the user a sense of urgency, since if they don’t download the file within the given timeframe, the file will expire and they might assume that the opportunity to receive relief funding will be missed or delayed. 
  • Convincing sender: Even for vigilant email-recipients who check the sender address, an automated message from the dropbox.com domain does look innocuous enough to at least click on the links provided. 
  • Legitimate email headers: This is a sophisticated attack because, by using Dropbox Transfer to send files, it is not necessary to spoof headers since the sender name will come from the legitimate Dropbox domain. Not only does this bypass traditional mail filters but it also goes undetected by any existing web proxy and firewall controls. This is also extremely convenient for attackers because they can send the payload without ever having to verify if the targeted network is allowing an inbound SMTP or testing firewalls/proxies.
  • Expected correspondence: For users that have applied for relief funds, this type of correspondence would be expected since paperwork is required for the applications.


Targeted Email Attack

(click to enlarge)

Payload: Step 1

(click to enlarge)

Payload: Step 2

(click to enlarge)

Techniques to Detect

(click to enlarge)

Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:

COVID-19-related attack deep dives

Like our article? Share our content