Adversary-in-the-Middle Tactics Elevate Dropbox Phishing Attack Capitalizing on Open Enrollment

The classic indicators of phishing are quickly disappearing.

A recent campaign exploiting Dropbox’s trusted platform has emerged as a sophisticated example of the subtlety of modern attacks—blending genuine email elements with adversary-in-the-middle (AiTM) tactics to steal verified login credentials.

This attack, which targets employees by masquerading as a shared file notification from the company’s Human Resources department, highlights how today’s threat actors leverage well-known services to bypass legacy security and deceive end users into divulging sensitive information.

Typically when we deconstruct an email attack, we start by explaining that the sender’s address has been spoofed or that the email originated from a compromised account—i.e., we establish that the sender’s identity has been manipulated somehow. In this case, everything about the initial email is genuine.

It’s a verified email sent from Dropbox’s actual platform. The From address is legitimate—as is every link in the message.

The email claims “Human Resources” has shared a document regarding annual salary increases and open enrollment on Dropbox. Clicking the “View on Dropbox” button redirects the recipient to Dropbox’s official site, where they must enter their real Dropbox login credentials to view the shared file.

Upon logging in, they can view the document, which features a combination of impersonated Microsoft and Docusign branding to give the semblance of legitimacy. It also includes a note stating the file “contains sensitive information that has been encrypted” in an attempt to further reinforce the pretext that the document was really sent from the HR department.

When the target clicks on either “REVIEW DOCUMENT” or “DOWNLOAD DOCUMENT”, they are redirected to a spoofed Microsoft OneDrive portal and prompted to provide their Microsoft login credentials.

After the recipient enters their username and password and clicks “Sign in”, they are taken to a page with an error claiming the message cannot be displayed and to try again in five minutes.

If the recipient is convinced that the login prompt is real and provides their username and password, the threat actor will capture, save, and exploit these credentials—potentially using them to infiltrate other applications or initiate additional attacks.

To fully appreciate why this attack is noteworthy, we must evaluate it through two different lenses.

The first is in the context of how it compares to other advanced email attacks. As previously mentioned, the initial email is indistinguishable from an authentic Dropbox notification because everything about it is legitimate—except the intent behind it.

Further, unlike the vast majority of phishing attacks, the malicious link isn’t contained within the email. It exists within a separate document hosted on a genuine file-hosting service, and it’s only after the target leaves the email environment and engages with the shared file that they’re exposed to the phishing link.

These threats—which are referred to as file-sharing phishing attacks or "living-off-trusted-sites" (LOTS) attacks—take advantage of platforms like Dropbox, ShareFile, and Docusign that offer either free registration or no-charge trials, which allows threat actors to create and send emails via the platform at no cost.

File-sharing phishing attacks also capitalize on the fact that these services are generally used for higher-priority and time-sensitive documents. In addition, the notifications typically refer to topics that are timely and highly relevant to the target—salary increases and open enrollment, in this case.

What sets this attack apart even from other file-sharing phishing attempts is that the perpetrator takes extra measures to ensure the information entered into the spoofed Microsoft login portal is valid. They do this by leveraging adversary-in-the-middle attack (AiTM) frameworks, such as Modlishka or Evilginx2.

In an AiTM attack, the threat actor positions themselves between the victim and the legitimate authentication server, acting as an invisible proxy. This setup allows them to relay the provided credentials to Microsoft’s real login portal and capture the responses.

By executing an AiTM attack, the cybercriminal can validate the credentials in real time. This not only confirms the accuracy of the stolen credentials but also enables the attacker to capture session cookies. With these session cookies, the threat actor can bypass multi-factor authentication (MFA) and gain full, unauthorized access to the victim’s account as if they were the actual user.

Moreover, in most phishing attacks that utilize fake login portals, the page will often simply refresh after the target inputs their credentials and either prompt them to re-enter their information or display a blank screen. This can make the recipient concerned that something is awry and potentially compel them to take steps to prevent unauthorized access.

However, the strategy in this attack is different: an error stating that the message cannot be displayed can lead the target to believe they have completed the instructions correctly and that the issue lies with the page itself. This can minimize the chances of triggering any alarm bells in the target and, in turn, the likelihood that they will take preventative measures.

Traditional security solutions rely on the concept of “if this, then that” and flag emails based on whether or not they are sent from a suspicious domain or contain known malicious components.

However, this Dropbox attack originated from a trusted sender, and the email body and embedded links are all legitimate. Additionally, the message is just the first stepping stone in a series that leads to the malicious link, which exists entirely outside the email environment. The architecture of this attack necessitates an ability to not only understand the context and intent of the message but also evaluate elements beyond the inbox.

Moving the attack out of the inbox not only reduces the likelihood of a legacy security tool detecting it but also increases the probability of deceiving employees. Security awareness training primarily focuses on teaching end users how to spot malicious emails—not how to spot malicious links embedded in innocuous documents shared via legitimate platforms like Dropbox.

Even the one suspicious element of the email (the generic file owner email address, employees-payroll@mail[.]com) is just nondescript enough to not immediately raise red flags. It’s also easily overlooked if you’re concentrating more on the filename and see the phrase “Annual Salary Increase.”

Today’s attackers know how to “hack the human” and are continually developing new strategies for manipulating employees. Implementing modern email security technology that pairs advanced behavioral science with risk-adaptive detection is the only surefire way to defend your organization.

Where legacy email security solutions utilize rules and policies to identify attacks, an AI-native, API-based email security platform like Abnormal takes a fundamentally different approach. Abnormal’s behavioral AI evaluates thousands of signals to establish a baseline for typical employee and vendor behavior, allowing it to accurately detect high-risk anomalies. This allows it to precisely detect and then automatically remediate email threats that traditional solutions miss—preventing end-user engagement and keeping your organization safe.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.