Hi, On Mon, Nov 20, 2017 at 5:47 PM, Bill Cole <[email protected]> wrote: > On 20 Nov 2017, at 13:31, Alex wrote: > >> On Mon, Nov 20, 2017 at 12:58 PM, Axb <[email protected]> wrote: >>> >>> On 11/20/2017 06:26 PM, Alex wrote: >>>> >>>> >>>> Hi, we have an email that originated from email.dropbox.com and has a >>>> link to https://hyzas.xss.ht/ which is a "payload to test for >>>> Cross-site Scripting" from the XSS Hunter Team. > > > Yeah, sure. Or maybe it's a malware vector masquerading as a harmless test. > As the very large and very obfuscated script says in comments at the top: > > If you believe that this payload has been used to attempt to > compromise your service without permission, please contact us > using https://xsshunter.com/contact. > > The registration info for xss.ht includes an embedded <script> tag pointing > to another instance of that script on another domain. The registration for > that domain has contact addresses in San Francisco, CA but phone numbers in > the Grand Rapids, MI area. > > I'd be surprised if this was not in fact malicious. > >>>> Was it sent in error? How was it sent? I know what XSS is and how it >>>> can be used, but this was reported as malicious, not from a security >>>> professional. >>>> >>>> https://pastebin.com/8Q7ZPRQ6 >>> >>> >>> >>> And how is this related to SA? >>> Maybe you should ask the ppl involved: dropbox.com / testalways.com >> >> >> I wasn't sure if it wasn't just a case where someone was using the >> dropbox service to send spam (in which case a backup mechanism in the >> form of a SA rule might be helpful), or if it was some dropbox admin >> who made a mistake, etc. It's just an odd email. > > > The "Dropbox Business" service supports sending invitations to arbitrary > addresses, much like many other services. It's abusable, just as LinkedIn, > Twitter, Facebook, and others are abusable.
That's it exactly, thanks. Dropbox responded that they're taking measures to prevent abuse of their Dropbox Business service, but I doubt they're making broad changes to address it being abused generally. The contact at testalways said it was done for research purposes. This makes blocking dropbox phishes more difficult. We see a ton of them. Suggestions on better protecting our users would be appreciated.
