Service Abuse: Box file sharing with credential phishing intent

calendar Jan 12, 2026  ยท
Share on: linkedin copy

Detects abuse of Box's legitimate infrastructure for credential phishing attacks.

Sublime rule (View on GitHub)

 1name: "Service Abuse: Box file sharing with credential phishing intent"
 2description: "Detects abuse of Box's legitimate infrastructure for credential phishing attacks."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Legitimate Box sending infrastructure
 9  and sender.email.domain.root_domain == "box.com"
10  
11  // ML classification indicates credential theft with high confidence
12  and (
13    any(ml.nlu_classifier(body.current_thread.text).intents,
14        .name == "cred_theft" and .confidence == "high"
15    )
16    // Link analysis for credential phishing detection
17    or any(filter(body.links,
18                  // target the box link
19                  (
20                    .href_url.domain.domain == "app.box.com"
21                  )
22           ),
23           ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
24           and ml.link_analysis(., mode="aggressive").credphish.confidence in (
25             "medium",
26             "high"
27           )
28    )
29  )
30  // Box file sharing patterns
31  and (
32    strings.icontains(subject.subject, 'invited you to')
33    or strings.icontains(subject.subject, 'shared')
34    or strings.icontains(subject.subject, 'has sent you')
35    or strings.icontains(body.current_thread.text, 'Go to File')
36    or any(body.links, strings.icontains(.display_text, 'Go to File'))
37  )
38  
39  // Suspicious document patterns or VIP impersonation
40  and (
41    // Financial document patterns
42    (
43      regex.icontains(subject.subject,
44                      '\b(fund|portfolio|agreement|contract|proposal|invoice|payment|wire|settlement|billing|timesheet|hr)\b'
45      )
46      or regex.icontains(body.current_thread.text,
47                         '\b(fund|portfolio|agreement|contract|proposal|invoice|payment|wire|settlement|billing|timesheet|hr)\b'
48      )
49      or any(body.links,
50             regex.icontains(.display_text,
51                             '\b(fund|portfolio|agreement|contract|proposal|invoice|payment|wire|settlement|billing|timesheet|hr)\b'
52             )
53      )
54    )
55    // Corporate document patterns
56    or (
57      regex.icontains(subject.subject,
58                      '\b(urgent|important|confidential|secure|encrypted|document|file)\b'
59      )
60      and regex.icontains(subject.subject,
61                          '\b(review|approval|signature|verification|validation)\b'
62      )
63    )
64  )  
65attack_types:
66  - "Credential Phishing"
67  - "BEC/Fraud"
68  - "Callback Phishing"
69tactics_and_techniques:
70  - "Evasion"
71  - "Social engineering"
72  - "Impersonation: Employee"
73  - "Impersonation: VIP"
74detection_methods:
75  - "Content analysis"
76  - "Natural Language Understanding"
77  - "Sender analysis"
78  - "Header analysis"
79id: "5bd0cb25-5984-5f52-9b7b-d7d337eacf7a"
to-top