Attackers are sharing files with suspicious names to users through Dropbox. Because Dropbox is a reputable service, most email security vendors will allow these files to come through.
This email was missed by ATP, Mimecast and Proofpoint, and looks like this:
This particular case was complex because this specific company does use Dropbox, but they do not have any correspondence with anyone using the Hotmail/Gmail address shown in the screenshot. Based on that, Avanan's AI was able to detect this as Phishing and promptly quarantine it.