While inspecting browser traffic from a workstation indicating a phishing attack, a title page says “Dropbox Login Page” but it’s not via https. The workstation user was potentially a victim of an attempt to harvest credentials for Dropbox via a bogus login page.
Quarantine the workstation and run a deep scan. For maximum safety, re-image the hard drive. Check the local DNS cache for possible poisoning of dropbox.com. If this user has a Dropbox account, they should change their credentials.