Phishing pages hosted on Dropbox: the 2024 'BEC 3.0' credential-harvesting wave
September 2024
Check Point recorded thousands of attacks in which criminals hosted credential-harvesting documents on Dropbox itself, so the phishing emails came genuinely from [email protected] and sailed past filters that trust the Dropbox domain.
What happened
In September 2024 Check Point's Harmony Email researchers reported observing more than 5,000 attacks in the first two weeks of the month that abused Dropbox to host phishing material. The lure was an authentic Dropbox notification — sent from Dropbox's own systems — telling the recipient a document was waiting. Clicking through led to a real, Dropbox-hosted page (often styled like a OneDrive or Microsoft document) whose 'Get Document' button then redirected the victim to an external credential-harvesting site.
Check Point labeled this 'BEC 3.0': rather than spoofing a brand, attackers ride legitimate services so the email passes SPF/DKIM and reputation checks because it really did originate from Dropbox. Darktrace separately documented a January 2024 case in which 16 users at one organization received a genuine Dropbox link to a PDF that led to a fake Microsoft 365 login, and the resulting logins appeared to carry a valid MFA token — indicating the attackers bypassed the victim's MFA.
Impact
Because the messages genuinely come from Dropbox, this technique neutralizes domain-blocking and brand-impersonation defenses and shifts the burden onto user vigilance and behavioral detection. It illustrates how Dropbox's trusted file-sharing and notification system can be turned into a delivery platform for credential theft and MFA-bypass, harming both Dropbox's brand and downstream Microsoft 365/SaaS accounts.