Fake Dropbox logins: recurring campaigns impersonating the brand to steal credentials
2022–2026
Across multiple years, attackers have built convincing fake Dropbox login pages — reached via PDF lures and redirect chains through trusted cloud storage — to harvest victims' real business email and Dropbox credentials.
What happened
Separate from campaigns that host content on Dropbox, a long-running class of attacks simply impersonates Dropbox. Cofense documented a prolific operation in 2022 in which booby-trapped links led through Dropbox-hosted files to external credential-harvesting pages, with stolen logins exfiltrated to PHP panels on compromised domains. The pattern persisted: in early 2026 Forcepoint's X-Labs detailed a procurement-themed campaign that mailed PDF attachments, staged an intermediate document on cloud storage (Vercel Blob), then dropped victims onto a fake Dropbox login page at an attacker domain that captured email addresses, passwords, IPs and geolocation and shipped them to a Telegram bot.
These campaigns do not breach Dropbox; they weaponize the trust users place in the brand. Because the fake pages mirror Dropbox's real interface and arrive via legitimate-looking attachments, they evade naive defenses and rely on the victim not checking the destination URL.
Impact
Persistent brand-impersonation phishing means Dropbox's name is repeatedly used as bait to compromise both Dropbox accounts and unrelated work credentials, a reputational and ecosystem harm that Dropbox cannot fully control. It keeps Dropbox among the most-imitated brands in phishing telemetry and reinforces why password-only logins and credential reuse remain the dominant route to account takeover.