Service Abuse: Box file sharing with credential phishing intent

Detects abuse of Box's legitimate infrastructure for credential phishing attacks.

Sublime rule (View on GitHub)

 1name: "Service Abuse: Box file sharing with credential phishing intent"
 2description: "Detects abuse of Box's legitimate infrastructure for credential phishing attacks."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7
 8  // Legitimate Box sending infrastructure
 9  and sender.email.domain.root_domain == "box.com"
10
11  // ML classification indicates credential theft with high confidence
12  and (
13    any(ml.nlu_classifier(body.current_thread.text).intents,
14        .name == "cred_theft" and .confidence == "high"
15    )
16    // Link analysis for credential phishing detection
17    or any(filter(body.links,
18                  // target the box link
19                  (
20                    .href_url.domain.domain == "app.box.com"
21                  )
22          ),
23          ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
24          and ml.link_analysis(., mode="aggressive").credphish.confidence in (
25            "medium",
26            "high"
27          )
28    )
29  )
30  // Box file sharing patterns
31  and (
32    strings.icontains(subject.subject, 'invited you to')
33    or strings.icontains(subject.subject, 'shared')
34    or strings.icontains(subject.subject, 'has sent you')
35    or strings.icontains(body.current_thread.text, 'Go to File')
36    or any(body.links, strings.icontains(.display_text, 'Go to File'))
37  )
38
39  // Suspicious document patterns or VIP impersonation
40  and (
41    // Financial document patterns
42    (
43      regex.icontains(subject.subject,
44                      '\b(fund|portfolio|agreement|contract|proposal|invoice|payment|wire|settlement|billing|timesheet|hr)\b'
45      )
46      or regex.icontains(body.current_thread.text,
47                        '\b(fund|portfolio|agreement|contract|proposal|invoice|payment|wire|settlement|billing|timesheet|hr)\b'
48      )
49      or any(body.links,
50            regex.icontains(.display_text,
51                            '\b(fund|portfolio|agreement|contract|proposal|invoice|payment|wire|settlement|billing|timesheet|hr)\b'
52            )
53      )
54    )
55    // Corporate document patterns
56    or (
57      regex.icontains(subject.subject,
58                      '\b(urgent|important|confidential|secure|encrypted|document|file)\b'
59      )
60      and regex.icontains(subject.subject,
61                          '\b(review|approval|signature|verification|validation)\b'
62      )
63    )
64  )  
65
66attack_types:
67  - "Credential Phishing"
68  - "BEC/Fraud"
69  - "Callback Phishing"
70tactics_and_techniques:
71  - "Evasion"
72  - "Social engineering"
73  - "Impersonation: Employee"
74  - "Impersonation: VIP"
75detection_methods:
76  - "Content analysis"
77  - "Natural Language Understanding"
78  - "Sender analysis"
79  - "Header analysis"
80  - "Behavioral analysis"
81id: "5bd0cb25-5984-5f52-9b7b-d7d337eacf7a"
to-top