chat
expand_more

Adversary-in-the-Middle Tactics Elevate Dropbox Phishing Attack Capitalizing on Open Enrollment

Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
November 18, 2024

The classic indicators of phishing are quickly disappearing.

A recent campaign exploiting Dropbox’s trusted platform has emerged as a sophisticated example of the subtlety of modern attacks—blending genuine email elements with adversary-in-the-middle (AiTM) tactics to steal verified login credentials.

This attack, which targets employees by masquerading as a shared file notification from the company’s Human Resources department, highlights how today’s threat actors leverage well-known services to bypass legacy security and deceive end users into divulging sensitive information.

Breaking Down the Dropbox Phishing Attack

Typically when we deconstruct an email attack, we start by explaining that the sender’s address has been spoofed or that the email originated from a compromised account—i.e., we establish that the sender’s identity has been manipulated somehow. In this case, everything about the initial email is genuine.

It’s a verified email sent from Dropbox’s actual platform. The From address is legitimate—as is every link in the message.

Dropbox Open Enrollment Attack Email

Legitimate email sent by attacker via the Dropbox platform

The email claims “Human Resources” has shared a document regarding annual salary increases and open enrollment on Dropbox. Clicking the “View on Dropbox” button redirects the recipient to Dropbox’s official site, where they must enter their real Dropbox login credentials to view the shared file.

Dropbox Open Enrollment Attack Dropbox Login

Real Dropbox login screen, which recipient must sign into to view shared file

Upon logging in, they can view the document, which features a combination of impersonated Microsoft and Docusign branding to give the semblance of legitimacy. It also includes a note stating the file “contains sensitive information that has been encrypted” in an attempt to further reinforce the pretext that the document was really sent from the HR department.

Dropbox Open Enrollment Attack Dropbox File

Malicious file hosted on Dropbox posing as notice from HR

When the target clicks on either “REVIEW DOCUMENT” or “DOWNLOAD DOCUMENT”, they are redirected to a spoofed Microsoft OneDrive portal and prompted to provide their Microsoft login credentials.

Dropbox Open Enrollment Attack One Drive A

Fake Microsoft OneDrive portal with login prompt

After the recipient enters their username and password and clicks “Sign in”, they are taken to a page with an error claiming the message cannot be displayed and to try again in five minutes.

Dropbox Open Enrollment Attack One Drive Error

Error message displayed after target attempts to log into spoofed Microsoft portal

If the recipient is convinced that the login prompt is real and provides their username and password, the threat actor will capture, save, and exploit these credentials—potentially using them to infiltrate other applications or initiate additional attacks.

What Makes This Dropbox Phishing Attack Unique

To fully appreciate why this attack is noteworthy, we must evaluate it through two different lenses.

The first is in the context of how it compares to other advanced email attacks. As previously mentioned, the initial email is indistinguishable from an authentic Dropbox notification because everything about it is legitimate—except the intent behind it.

Further, unlike the vast majority of phishing attacks, the malicious link isn’t contained within the email. It exists within a separate document hosted on a genuine file-hosting service, and it’s only after the target leaves the email environment and engages with the shared file that they’re exposed to the phishing link.

These threats—which are referred to as file-sharing phishing attacks or "living-off-trusted-sites" (LOTS) attacks—take advantage of platforms like Dropbox, ShareFile, and Docusign that offer either free registration or no-charge trials, which allows threat actors to create and send emails via the platform at no cost.

File-sharing phishing attacks also capitalize on the fact that these services are generally used for higher-priority and time-sensitive documents. In addition, the notifications typically refer to topics that are timely and highly relevant to the target—salary increases and open enrollment, in this case.

What sets this attack apart even from other file-sharing phishing attempts is that the perpetrator takes extra measures to ensure the information entered into the spoofed Microsoft login portal is valid. They do this by leveraging adversary-in-the-middle attack (AiTM) frameworks, such as Modlishka or Evilginx2.

In an AiTM attack, the threat actor positions themselves between the victim and the legitimate authentication server, acting as an invisible proxy. This setup allows them to relay the provided credentials to Microsoft’s real login portal and capture the responses.

Dropbox Open Enrollment Attack One Drive B

Error message triggered by entering incorrect credentials

By executing an AiTM attack, the cybercriminal can validate the credentials in real time. This not only confirms the accuracy of the stolen credentials but also enables the attacker to capture session cookies. With these session cookies, the threat actor can bypass multi-factor authentication (MFA) and gain full, unauthorized access to the victim’s account as if they were the actual user.

Moreover, in most phishing attacks that utilize fake login portals, the page will often simply refresh after the target inputs their credentials and either prompt them to re-enter their information or display a blank screen. This can make the recipient concerned that something is awry and potentially compel them to take steps to prevent unauthorized access.

However, the strategy in this attack is different: an error stating that the message cannot be displayed can lead the target to believe they have completed the instructions correctly and that the issue lies with the page itself. This can minimize the chances of triggering any alarm bells in the target and, in turn, the likelihood that they will take preventative measures.

Why This Dropbox Attack is Difficult to Detect

Traditional security solutions rely on the concept of “if this, then that” and flag emails based on whether or not they are sent from a suspicious domain or contain known malicious components.

However, this Dropbox attack originated from a trusted sender, and the email body and embedded links are all legitimate. Additionally, the message is just the first stepping stone in a series that leads to the malicious link, which exists entirely outside the email environment. The architecture of this attack necessitates an ability to not only understand the context and intent of the message but also evaluate elements beyond the inbox.

Moving the attack out of the inbox not only reduces the likelihood of a legacy security tool detecting it but also increases the probability of deceiving employees. Security awareness training primarily focuses on teaching end users how to spot malicious emails—not how to spot malicious links embedded in innocuous documents shared via legitimate platforms like Dropbox.

Even the one suspicious element of the email (the generic file owner email address, employees-payroll@mail[.]com) is just nondescript enough to not immediately raise red flags. It’s also easily overlooked if you’re concentrating more on the filename and see the phrase “Annual Salary Increase.”

Stopping Open Enrollment Attacks with Behavioral AI

Today’s attackers know how to “hack the human” and are continually developing new strategies for manipulating employees. Implementing modern email security technology that pairs advanced behavioral science with risk-adaptive detection is the only surefire way to defend your organization.

Where legacy email security solutions utilize rules and policies to identify attacks, an AI-native, API-based email security platform like Abnormal takes a fundamentally different approach. Abnormal’s behavioral AI evaluates thousands of signals to establish a baseline for typical employee and vendor behavior, allowing it to accurately detect high-risk anomalies. This allows it to precisely detect and then automatically remediate email threats that traditional solutions miss—preventing end-user engagement and keeping your organization safe.


See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.

Schedule a Demo
Adversary-in-the-Middle Tactics Elevate Dropbox Phishing Attack Capitalizing on Open Enrollment

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Podcast Blog
Explore insights on AI, collaboration, career growth, and unforgettable stories from industry leaders shaping the future of cybersecurity.
Read More
B AI Vendor
Learn how to evaluate transparency, risks, scalability, and ethical considerations to make informed cybersecurity decisions.
Read More
B SOC Prod
Learn how AI-driven automation boosts SOC productivity by reducing false positives, addressing skills gaps, and enhancing threat detection. Discover strategies to future-proof your SOC and strengthen cybersecurity defenses.
Read More
B Proofpoint Customer Story F500 Insurance Provider
A Fortune 500 insurance provider blocked 6,454 missed attacks and saved 341 SOC hours per month by adding Abnormal to address gaps left by Proofpoint.
Read More
B Malicious AI Platforms Blog
What happened to WormGPT? Discover how AI tools like WormGPT changed cybercrime, why they vanished, and what cybercriminals are using now.
Read More
B MKT748 Open Graph Images for Cyber Savvy 7
Explore insights from Brian Markham, CISO at EAB, as he discusses cybersecurity challenges, building trust in education, adapting to AI threats, and his goals for the future. Learn how he and his team are working to make education smarter while prioritizing data security.
Read More