Blog
/
Email
/
March 8, 2024

Malicious Use of Dropbox in Phishing Attacks

Understand the tactics of phishing attacks that exploit Dropbox and learn how to recognize and mitigate these emerging cybersecurity threats.
Written by
Ryan Traill
Analyst Content Lead
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Ryan Traill
Analyst Content Lead
Default blog image
08
Mar 2024

Evolving Phishing Attacks

While email has long been the vector of choice for carrying out phishing attacks, threat actors, and their tactics, techniques, and procedures (TTPs), are continually adapting and evolving to keep pace with the emergence of new technologies that represent new avenues to exploit. As previously discussed by the Darktrace analyst team, several novel threats relating to the abuse of commonly used services and platforms were observed throughout 2023, including the rise of QR Code Phishing and the use of Microsoft SharePoint and Teams in phishing campaigns.

Dropbox Phishing Attacks

It should, therefore, come as no surprise that the malicious use of other popular services has gained traction in recent years, including the cloud storage platform Dropbox.

With over 700 million registered users [1], Dropbox has established itself as a leading cloud storage service celebrated for its simplicity in file storage and sharing, but in doing so it has also inadvertently opened a new avenue for threat actors to exploit. By leveraging the legitimate infrastructure of Dropbox, threat actors are able to carry out a range of malicious activities, from convincing their targets to unknowingly download malware to revealing sensitive information like login credentials.

Darktrace Detection of Dropbox Phishing Attack

Darktrace detected a malicious attempt to use Dropbox in a phishing attack in January 2024, when employees of a Darktrace customer received a seemingly innocuous email from a legitimate Dropbox address. Unbeknownst to the employees, however, a malicious link had been embedded in the contents of the email that could have led to a widespread compromise of the customer’s Software-as-a-Service (SaaS) environment. Fortunately for this customer, Darktrace / EMAIL quickly identified the suspicious emails and took immediate actions to stop them from being opened. If an email was accessed by an employee, Darktrace / IDENTITY was able to recognize any suspicious activity on the customer’s SaaS platform and bring it to the immediate detection of their security team.

Attack overview

Initial infection  

On January 25, 2024, Darktrace / EMAIL observed an internal user on a customer’s SaaS environment receiving an inbound email from ‘no-reply@dropbox[.]com’, a legitimate email address used by the Dropbox file storage service.  Around the same time 15 other employees also received the same email.

The email itself contained a link that would lead a user to a PDF file hosted on Dropbox, that was seemingly named after a partner of the organization. Although the email and the Dropbox endpoint were both legitimate, Darktrace identified that the PDF file contained a suspicious link to a domain that had never previously been seen on the customer’s environment, ‘mmv-security[.]top’.  

Darktrace understood that despite being sent from a legitimate service, the email’s initiator had never previously corresponded with anyone at the organization and therefore treated it with suspicion. This tactic, whereby a legitimate service sends an automated email using a fixed address, such as ‘no-reply@dropbox[.]com’, is often employed by threat actors attempting to convince SaaS users to follow a malicious link.

As there is very little to distinguish between malicious or benign emails from these types of services, they can often evade the detection of traditional email security tools and lead to disruptive account takeovers.

As a result of this detection, Darktrace / EMAIL immediately held the email, stopping it from landing in the employee’s inbox and ensuring the suspicious domain could not be visited. Open-source intelligence (OSINT) sources revealed that this suspicious domain was, in fact, a newly created endpoint that had been reported for links to phishing by multiple security vendors [2].

A few days later on January 29, the user received another legitimate email from ‘no-reply@dropbox[.]com’ that served as a reminder to open the previously shared PDF file. This time, however, Darktrace / EMAIL moved the email to the user’s junk file and applied a lock link action to prevent the user from directly following a potentially malicious link.

Figure 1: Anomaly indicators associated with the suspicious emails sent by ’no.reply@dropbox[.]com’, and the corresponding actions performed by Darktrace / EMAIL

Unfortunately for the customer in this case, their employee went on to open the suspicious email and follow the link to the PDF file, despite Darktrace having previously locked it.

Figure 2: Confirmation that the SaaS user read the suspicious email and followed the link to the PDF file hosted on Dropbox, despite it being junked and link locked.

Darktrace / NETWORK subsequently identified that the internal device associated with this user connected to the malicious endpoint, ‘mmv-security[.]top’, a couple of days later.

Further investigation into this suspicious domain revealed that it led to a fake Microsoft 365 login page, designed to harvest the credentials of legitimate SaaS account holders. By masquerading as a trusted organization, like Microsoft, these credential harvesters are more likely to appear trustworthy to their targets, and therefore increase the likelihood of stealing privileged SaaS account credentials.  

Figure 3: The fake Microsoft login page that the user was directed to after clicking the link in the PDF file.

Suspicious SaaS activity

In the days following the initial infection, Darktrace / IDENTITY began to observe a string of suspicious SaaS activity being performed by the now compromised Microsoft 365 account.

Beginning on January 31, Darktrace observed a number of suspicious SaaS logins from multiple unusual locations that had never previously accessed the account, including 73.95.165[.]113. Then on February 1, Darktrace detected unusual logins from the endpoints 194.32.120[.]40 and 185.192.70[.]239, both of which were associated with ExpressVPN indicating that threat actors may have been using a virtual private network (VPN) to mask their true location.

FIgure 4: Graph Showing several unusual logins from different locations observed by Darktrace/Apps on the affected SaaS account.

Interestingly, the threat actors observed during these logins appeared to use a valid multi-factor authentication (MFA) token, indicating that they had successfully bypassed the customer’s MFA policy. In this case, it appears likely that the employee had unknowingly provided the attackers with an MFA token or unintentionally approved a login verification request. By using valid tokens and meeting the necessary MFA requirements, threat actors are often able to remain undetected by traditional security tools that view MFA as the silver bullet. However, Darktrace’s anomaly-based approach to threat detection allows it to quickly identify unexpected activity on a device or SaaS account, even if it occurs with legitimate credentials and successfully passed authentication requirements, and bring it to the attention of the customer’s security team.

Shortly after, Darktrace observed an additional login to the SaaS account from another unusual location, 87.117.225[.]155, this time seemingly using the HideMyAss (HMA) VPN service. Following this unusual login, the actor was seen creating a new email rule on the compromised Outlook account. The new rule, named ‘….’, was intended to immediately move any emails from the organization’s accounts team directly to the ‘Conversation History’ mailbox folder. This is a tactic often employed by threat actors during phishing campaigns to ensure that their malicious emails (and potential responses to them) are automatically moved to less commonly visited mailbox folders in order to remain undetected on target networks. Furthermore, by giving this new email rule a generic name, like ‘….’ it is less likely to draw the attention of the legitimate account holder or the organizations security team.

Following this, Darktrace / EMAIL observed the actor sending updated versions of emails that had previously been sent by the legitimate account holder, with subject lines containing language like “Incorrect contract” and “Requires Urgent Review”, likely in an attempt to illicit some kind of follow-up action from the intended recipient.  This likely represented threat actors using the compromised account to send further malicious emails to the organization’s accounts team in order to infect additional accounts across the customer’s SaaS environment.

Unfortunately, Darktrace's Autonomous Response was not deployed in the customer’s SaaS environment in this instance, meaning that the aforementioned malicious activity did not lead to any mitigative actions to contain the compromise. Had RESPOND been enabled in autonomous response mode at the time of the attack, it would have quickly moved to log out and disable the suspicious actor as soon as they had logged into the SaaS environment from an unusual location, effectively shutting down this account takeover attempt at the earliest opportunity.

Nevertheless, Darktrace / EMAIL's swift identification and response to the suspicious phishing emails, coupled with Darktrace / IDENTITY's detection of the unusual SaaS activity, allowed the customer’s security team to quickly identify the offending SaaS actor and take the account offline before the attack could escalate further

Conclusion

As organizations across the world continue to adopt third-party solutions like Dropbox into their day-to-day business operations, threat actors will, in turn, continue to seek ways to exploit these and add them to their arsenal. As illustrated in this example, it is relatively simple for attackers to abuse these legitimate services for malicious purposes, all while evading detection by endpoint users and security teams alike.

By leveraging these commonly used platforms, malicious actors are able to carry out disruptive cyber-attacks, like phishing campaigns, by taking advantage of legitimate, and seemingly trustworthy, infrastructure to host malicious files or links, rather than relying on their own infrastructure. While this tactic may bypass traditional security measures, Darktrace’s Self-Learning AI enables it to recognize unusual senders within an organization’s email environment, even if the email itself seems to have come from a legitimate source, and prevent them from landing in the target inbox. In the event that a SaaS account does become compromised, Darktrace is able to identify unusual login locations and suspicious SaaS activities and bring them to the attention of the customer for remediation.

In addition to the prompt identification of emerging threats, Darktrace's Autonomous Response is uniquely placed to take swift autonomous action against any suspicious activity detected within a customer’s SaaS environment, effectively containing any account takeover attempts in the first instance.

Credit to Ryan Traill, Threat Content Lead, Emily Megan Lim, Cyber Security Analyst

Appendices

Darktrace Model Detections  

- Model Breach: SaaS / Access::Unusual External Source for SaaS Credential Use

- Model Breach: SaaS / Unusual Activity::Multiple Unusual External Sources For SaaS Credential

- Model Breach: SaaS / Access::Unusual External Source for SaaS Credential Use

- Model Breach: SaaS / Access::Unusual External Source for SaaS Credential Use

- Model Breach: SaaS / Unusual Activity::Multiple Unusual SaaS Activities

- Model Breach: SaaS / Unusual Activity::Unusual MFA Auth and SaaS Activity

- Model Breach: SaaS / Compromise::Unusual Login and New Email Rule

- Model Breach: SaaS / Compliance::Anomalous New Email Rule

- Model Breach: SaaS / Compliance::New Email Rule

- Model Breach: SaaS / Compromise::SaaS Anomaly Following Anomalous Login

- Model Breach: Device / Suspicious Domain

List of Indicators of Compromise (IoCs)

Domain IoC

mmv-security[.]top’ - Credential Harvesting Endpoint

IP Address

73.95.165[.]113 - Unusual Login Endpoint

194.32.120[.]40 - Unusual Login Endpoint

87.117.225[.]155 - Unusual Login Endpoint

MITRE ATT&CK Mapping

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS

T1078.004 - Cloud Accounts

DISCOVERY

T1538 - Cloud Service Dashboard

RESOURCE DEVELOPMENT

T1586 - Compromise Accounts

CREDENTIAL ACCESS

T1539 - Steal Web Session Cookie

PERSISTENCE

T1137 - Outlook Rules

INITIAL ACCESS

T156.002 Spearphishing Link

Written by
Ryan Traill
Analyst Content Lead
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Ryan Traill
Analyst Content Lead

Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor

Network
May 14, 2026
Tara Gould
Malware Research Lead
Watch the NIS2 Webinar
Trending blogs
1
Darktrace Recognized as the Only Visionary in the 2026 Gartner® Magic Quadrant™ for CPS Protection Platforms
Mar 20, 2026
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Email
May 26, 2026

Journey of a Threat: How Multi-Layered AI Works in Darktrace / EMAIL

Follow a malicious email as it moves through Darktrace / EMAIL’s multi-layered AI system, from raw data to final decision. Each layer works together to detect threats, understand intent, and take autonomous action.
Jamie Bali
Technical Author (AI) Developer
Read more
Email
May 1, 2026

How email-delivered prompt injection attacks can target enterprise AI – and why it matters

Prompt injection is a newly emerging threat, with only a handful of confirmed victims so far – targeting how AI systems use data rather than exploiting traditional software vulnerabilities. As agentic AI becomes embedded across enterprise environments, attackers may attempt to manipulate these systems through hidden instructions in everyday email content.
Kiri Addison
Senior Director of Product
Read more
Email
March 24, 2026

Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom

Introducing the adaptive era of email security: a unified platform that connects personalized coaching, collaboration tools, and user behavior into a self-improving defense system.
Carlos Gray
Senior Product Marketing Manager, Email
Read more

Blog

/

Proactive Security

/

June 2, 2026

Stopping Stealth Attacks with Precision: How Núclea Prevented a Breach Without Disruption

Default blog imageDefault blog image

Núclea is a Brazilian data and technology company that supports the country’s financial system by delivering digital services exclusively to banks and financial institutions. Operating in an environment where trust, availability, and data integrity are critical, the company faces a threat landscape that has evolved rapidly—particularly with the rise of AI-driven cyberattacks.

Brazil has experienced a wave of successful cyber incidents targeting financial institutions, many of them enabled by insiders or compromised credentials. The result was a noticeable shift in attacker strategy: instead of focusing on end customers, threat actors began targeting the institutions and platforms that underpin the financial ecosystem itself.

“Attacks became far more directed and contextual,” explains Guilherme, who leads incident response within Núclea’s security platform engineering team. “They weren’t noisy or obviously malicious—they were precise, patient, and designed to blend into normal operations.”

That precision was on full display in January 2026, when Núclea faced one of the most convincing phishing attacks the team had seen.

A real attack, built on trust and context

The attack began with a seemingly routine email.

It was sent from a real Brazilian government institution, using legitimate infrastructure and valid credentials that were later confirmed to have been compromised. Núclea had an established, ongoing relationship with this organization, and the email’s language, tone, and subject matter aligned perfectly with the type of communication the recipient team handled every day.

Attached to the email was a PDF document containing content that looked entirely legitimate.

The problem? A single URL embedded inside that PDF.

“The message itself was correct. The sender was real. The context was familiar. Even the document content made sense,” Guilherme explains. “There was just one small element that didn’t belong.”

That small detail was enough to initiate a full attack chain.

What the attackers were trying to do

If clicked, the URL would have downloaded a malicious payload designed to:

  • Collect information about the user and device
  • Identify where the system was located within the financial ecosystem
  • Install remote access tools to maintain control
  • Deploy an infostealer to extract sensitive data
  • Execute anti-forensic scripts to erase traces of the intrusion

In other words, it was a carefully engineered operation designed for persistence and stealth, not immediate disruption.

The attack also employed urgency—a classic social engineering technique. When the link didn’t open as expected, employees requested assistance from the security team, insisting the document was important and needed to be accessed quickly.

This is precisely the kind of scenario where traditional security tools struggle: almost everything about the interaction is legitimate.

Where Darktrace made the difference

Instead of blocking the entire message or relying on known indicators of compromise, Darktrace focused on behavioral context.

Darktrace recognized:

  • That the sending organization was normally trusted
  • That the communication pattern matched historical behavior
  • That the PDF content itself was not suspicious

But it also identified that the URL embedded within the document deviated from established behavioral patterns.

Rather than disrupting business operations, Darktrace took precise action: it rewrote the URL, preventing the malicious download while leaving the rest of the email untouched.

“When we analyzed it afterward, it became clear how dangerous the attack would have been,” says Guilherme. “But it never progressed—because Darktrace acted at exactly the right point.”

Subsequent forensic analysis confirmed the payload’s malicious intent. The attack never succeeded.

Precision over disruption

For Núclea, this incident reinforced a critical lesson: modern attacks don’t always look malicious—they hide within normal activity.

“What stands out to me is the precision,” Guilherme says. “Darktrace doesn’t rely on big, obvious signals. It’s effective in situations that fall outside the standard patterns we all know.”

Building resilience in a high trust ecosystem

For Núclea, cybersecurity is not just a defensive measure—it’s a business enabler.

Availability failures or successful breaches in the financial ecosystem can have immediate, large-scale consequences, from financial loss to reputational damage. Preventing those outcomes protects not just Núclea, but its partners and customers as well.

“Cyber resilience means keeping the business running—even under attack,” Guilherme explains. “And that requires people, processes, and technology working together.”

As AI continues to accelerate both attacks and defenses, the role of security is evolving. Precision, behavioral understanding, and intelligent automation are no longer optional—they’re essential.

“The easy days were yesterday,” Guilherme says. “The challenges ahead are bigger. We need to be prepared—internally and with partners that help us build resilience.”

Continue reading
About the author

Blog

/

Proactive Security

/

June 1, 2026

Defend What You Trust: Stories from the Front Lines of Modern Cyber Defense

Default blog imageDefault blog image

Modern attacks don’t always announce themselves, follow obvious patterns, or rely on known malware. Often, they move quietly inside trusted systems, authenticated sessions, and everyday behavior.

They don’t break in. They blend in.

That’s why an AI-powered defense is essential. It turns invisible signals into actionable insights at a scale neither analysts nor traditional tools can achieve alone.

Confidence is creating risk

One of the most dangerous assumptions in cybersecurity today is that strong controls equal strong protection.

Multi-factor authentication (MFA), for example, is widely viewed as a foundational safeguard. But as the CISO for a professional sports organization explains, that confidence can be misplaced. “A lot of organizations assume that once you have MFA, those accounts are safe. That’s not true.”

In one instance, his team identified a sophisticated attack where a threat actor bypassed MFA entirely, not by breaking it, but by going around it. A user’s authenticated session was hijacked and re-used, allowing the attacker to impersonate them without triggering traditional controls.

“Darktrace picked up that a session had been re-injected by the hacker, and we were able to block it right away,” he explains.

Attackers anticipate what we miss

Even well-trained users can become entry points.

“An email bypassed our existing security tools,” shares the VP of IT at a U.S.-based risk management services provider.  “The user missed one signal and entered their credentials into a malicious site. That’s what the bad guys count on.”

The organization responded quickly, but not before damage was done. Crucially, this occurred while Darktrace was in “watch mode,” before autonomous response was fully enabled. “Darktrace would have seen that and shut it down immediately,” he notes.

Mistakes and oversights like misconfigurations, forgotten machines, and missed patches can create serious vulnerabilities.

The CIO of a utility services organization shares an instance when Darktrace detected a breach to a client’s network via their ZTNA VPN due to misconfigured MFA. “Darktrace alerted us and autonomously blocked the scanning, preventing what could have been a ransomware-type incident.”  

The most dangerous threats are already inside

The Head of Security at a global business services provider knows firsthand how blind spots can persist inside environments. His team uncovered evidence of dormant ransomware artifacts sitting unnoticed within a company’s environment ¬¬– long before modern detection was in place.

“During a routine file transfer, Darktrace flagged the suspicious activity, identified the ransomware, and immediately quarantined the server,” he recalls.  While the attack was never executed, the implication was significant: the risk existed long before it was finally detected.

Cyber threats are also successful because they take advantage of normal human behavior, exploiting moments of cognitive overload, urgency, and trust.

The Executive Director of IT and Business Applications at a pharmaceutical lab describes the time Darktrace flagged an employee logging into Microsoft 365 from Singapore, despite him being physically located in the U.S. Darktrace immediately cut off his access and within minutes revealed that the employee’s son was using a VPN to play a video game.

While the threat was benign, it demonstrated the strength of AI to use contextual information to detect threats other tools miss. The information also saved security analysts hours of investigation and minimized downtime for the employee. “That level of precision and speed isn’t just convenient, it’s game changing.”

“Unusual” behavior is the new red flag

Detecting modern threats requires an understanding of what “normal” looks like and recognizing when something subtly deviates.

One security leader  at an AI technology enterprise described a scenario in which an employee connected to a proxy service in China. The service itself was legitimate, and although traditional tools didn’t flag it, the behavior was unusual for that user specifically.

“That’s what Darktrace picked up on. The activity turned out to be benign, but without visibility into behavioral deviations, it could just as easily have been something more serious.”

AI shifts defense from reaction to anticipation

These stories point to a fundamental shift by cyber attackers, both tactically and strategically. Because traditional security tools were built to detect what’s already known, modern attacks are often:

  • Credential-based, not malware-based
  • Behavioral, not signature-based
  • Subtle, not overt

They may operate within the boundaries of what appears normal, exploiting what organizations trust, not what they block:

  • Trusted sessions
  • Legitimate services
  • Human error

This is where AI is changing the equation. Rather than relying on predefined rules or known threat signatures, AI can:

  • Establish a baseline of normal behavior
  • Detect subtle anomalies in real time
  • Act autonomously to contain potential threats

Resilience, not perfection, is the new security standard

As these frontline experiences show, the organizations that lead are those that move beyond reactive defense and embrace AI as a core part of their strategy.

It eliminates the blind spots and uncertainty, says the CISO of a professional sports organization. “If you lack visibility, you’re not managing risk, you’re assuming it. AI gives you the actionable insights needed to turn uncertainty into control.”

And it provides the speed and agility that are vital when seconds matter, says the Executive Director of IT and Business Applications. “When Darktrace alerted us at 3:00 am to a ransomware attack, it had already quarantined the affected systems, blocked the attacker’s access, and provided us with the critical details and time needed to investigate. That action likely saved us hundreds of thousands, if not millions, of dollars.”

The modern SOC has become a cornerstone of enterprise resilience, responsible for protecting data and operational continuity while enabling digital growth and innovation. For today’s security professional, that means success is no longer measured by what they keep out, but by what they protect: revenue, reputation, and trust.

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI