Monitoring deep, dark and surface web to detect exposure of your sensitive data, secret projects and initiatives, privileged users, critical systems, IT infrastructure, and more.
Monitoring and alerting of third party data breaches impacting your employees’ emails, usernames, and personally identifiable information.
Assess the risk footprint and security posture of key business relationships to get a handle on external risk introduced through your extended attack surface.

Sign Up for Updates

Digital risk monitoring of key personnel with telemetry and risk metrics. VIPRecon provides broad coverage of social media, deep and dark web, as well as physical threat assessments.
Our Ransomware Response Readiness Assessment, Playbook and Table Top Exercise gives your organization the best chance to survive and recover.
Gain visibility of your digital footprint by reaching into the most active areas of the cyber underground.
Fully managed and tailored Threat Intelligence services that becomes an extension of your current security processes and provides real-time visibility on new threats.
Providing research and investigations into known threats, to save security teams time and stress during a cyber emergency.

Sign Up for Updates

GroupSense offers a comprehensive package of services for assessing and responding to ransomware attacks, including negotiations with threat actors.
Actively researching and monitoring threats from vendors or third-party companies that can affect organizational security.
Monitoring for threats to elections, VIPs, and more on social media to proactively prevent or mitigate digital risk.
Focusing on the threats and risks that matter to your security processes and providing intelligence and insights to prevent or mitigate digital risk.
Taking the next step in security services, by proactively taking down phishing sites or anonymously interacting with threat actors to provide better intelligence.
Active monitoring of your brand's digital assets to protect its reputation and stop further brand abuse from targeting unsuspecting victims.

Sign Up for Updates

Combining your cyber and fraud programs to effectively fight threat actors continually scamming or threatening assets within an organization.
Executives are prime targets for fraudulent activities, but with a proactive approach, any attacks or threats can be neutralized before causing any damage.
Governments, political parties and candidates must all act now to activate cyber threat intelligence services to harden their information security and get ahead of inevitable cyber threats to the election process.
6 min read

Dropbox Security Concerns

Mar 9, 2021 9:00:00 AM

Users quickly adopted the cloud storage tool Dropbox at the start of the COVID-19 pandemic to alleviate file sharing issues and facilitate group work. Updates to Dropbox Spaces, a project management tool, reflect this shift, easing communications for remote work.1 The file-sharing company seeks to enhance collaboration and information-sharing within a distributed workforce, both now and in the future.

As Dropbox and other businesses continue to adjust to new workplace requirements, threat actors are increasingly leveraging their services for attacks.

Dropbox's Encrypted Channels Allow Threat Actors to Blend Normal Traffic

A 260% increase in using encrypted Secure Sockets Layer/Transport Layer Security (SSL/TLS) traffic to hide cyber attacks occurred in the first nine months of 2020, according to security company Zscaler.2 More than 30% of all SSL-based attacks hide in collaboration services like Dropbox.3 Threat actors hide malware inside encrypted traffic, enabling their attacks to bypass detection. Dropbox relies on such encrypted traffic to protect data in transit, yet is exploited by these hidden attacks.

Recent espionage campaigns by sophisticated advanced persistent threat (APT) groups demonstrate the appeal of leveraging Dropbox’s encrypted channels. For example, the Russia-based espionage group Turla stored stolen documents from high-value targets on various Dropbox accounts the group controlled as far back as 2015.4 Using a previously undocumented malware toolset named Crutch, Turla bypassed Dropbox’s security layers and blended into normal traffic for years.

New call-to-action


Threat Actors Utilize File-Sharing Services to Host and Disseminate Malware

There are numerous reports of threat actors of varying motivations and sophistication utilizing file-sharing services to host and disseminate malware. As the COVID-19 pandemic continues, information sharing and virtual collaboration provided by Dropbox will remain a crucial factor for remote work and resulting threat actor abuse. 

As of December 2020, Arabic-speaking APT group Molerats is actively conducting a cyber espionage campaign against several government officials in the Middle East.5 The group delivered backdoors and one downloader in phishing documents to execute arbitrary code and collect sensitive data from infected computers. Molerats leveraged Dropbox to covertly store espionage tools and exfiltrate stolen data.

MoleRATs' campaign infection chain

Figure 1: Molerats' latest campaign Infection Chain; Source: Cybereason

Threat actors are likely to continue exploiting Dropbox in conjunction with sophisticated toolsets, potentially for political purposes.

Dropbox Used for Social Engineering Campaigns

Dropbox’s reputation as a leading file-sharing service makes it a popular target. Its legitimacy allows threat actors to appear authentic to targeted users, which lowers their usual levels of alertness or wariness. Dropbox provides a platform for C&C communications, allowing threat actors to evade detection during their campaigns.

There are several reports of social engineering campaigns mimicking Dropbox. Exploiting Dropbox’s trusted reputation and using its branding makes spoofed links and websites appear legitimate. Domain squatters mimic the legitimate Dropbox domain (dropbox[.]com),6 luring users into giving away their login credentials or infecting their devices with malware.

Since the beginning of 2021, five users have submitted fifteen suspicious emails purporting to target the Dropbox brand to the phishing tracking service PhishTank.7 GroupSense verified many of these submissions as phishing emails, and the actual number of such emails is likely significantly higher than those reported.

Threat actors have been leveraging Dropbox Transfer with COVID-19 relief phishing lures to redirect users to credential harvesting websites.8 Evoking a sense of urgency to the user that file transfers will expire can influence victims to click and download malicious content.

COVID-19 relief email phishing through dropbox transfer

Figure 2: Phishing email spoofing Dropbox in content related to COVID-19 relief; Source:

The Dropbox Breach Continues to Spark Interest

Dropbox was breached in 2012, affecting more than 68 million account holders9 and exposing usernames, emails, and hashed passwords. In 2016, Dropbox forced password resets after discovering accounts exposed from the breach still circulating among threat actors.10

The breach continues to attract interest in underground forums. As recently as February 2021, users were replying to a post offering the database on RAID Forums in 2016.


Figure 3: November 2016 post advertising Dropbox credentials continues to receive interest; Source:

Dropbox Vulnerabilities

There have been 11 vulnerabilities reported impacting Dropbox.11 More than half of the vulnerabilities are related to denial of service and authentication bypass.

A zero-day vulnerability in Dropbox was discovered in 2019 by security researchers Decoder and Chris Danieli which allowed threat actors to gain permissions reserved to the privileged SYSTEM account in Windows 10 OS.12

These vulnerabilities are comparatively rare and less likely to present a threat to businesses than phishing and malware distributed via Dropbox.

To protect against these vulnerabilities, GroupSense recommends users ensure they have automatic updates enabled for Dropbox desktop and/or mobile applications or that users manually and periodically update the application. Detailed instructions are available on Dropbox’s site.

Dropbox vulnerability trends over time

Figure 4: Dropbox CVEs (2010-2019); Source:

New call-to-action


GroupSense recommends users engage in phishing awareness training, including examples of phishing campaigns mimicking popular file-sharing services such as Dropbox. Training should highlight that received legitimate emails, including those from, can contain malicious links or attachments.

GroupSense additionally advises blocking leaked Dropbox email addresses from the 2012 breach, as these are still receiving attention from threat actors and could be used to host and disseminate malicious content.

Other reputable cloud storage and file-sharing services like Microsoft OneDrive or Google Drive may better suit your business. Regardless of the chosen service, threat actors will still take advantage of all encrypted SSL/TLS security measures.

Businesses should consider limiting file transfers to only one sharing service across the company. This can mitigate phishing and malware distribution that leverage other popular file-sharing sites not approved for use.

Data privacy presents legal obstacles related to inspecting traffic passing to and from their websites for cloud storage services. However, regularly reviewing access logs of company-related cloud storage services can help identify suspicious activity, including interactions with known malicious infrastructures.

New call-to-action














Topics: Blog

Written by Editorial Team