Service Abuse: Box file sharing with credential phishing intent
Detects abuse of Box's legitimate infrastructure for credential phishing attacks.
Sublime rule (View on GitHub)
1name: "Service Abuse: Box file sharing with credential phishing intent"
2description: "Detects abuse of Box's legitimate infrastructure for credential phishing attacks."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 // Legitimate Box sending infrastructure
9 and sender.email.domain.root_domain == "box.com"
10
11 // ML classification indicates credential theft with high confidence
12 and (
13 any(ml.nlu_classifier(body.current_thread.text).intents,
14 .name == "cred_theft" and .confidence == "high"
15 )
16 // Link analysis for credential phishing detection
17 or any(filter(body.links,
18 // target the box link
19 (
20 .href_url.domain.domain == "app.box.com"
21 )
22 ),
23 ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
24 and ml.link_analysis(., mode="aggressive").credphish.confidence in (
25 "medium",
26 "high"
27 )
28 )
29 )
30 // Box file sharing patterns
31 and (
32 strings.icontains(subject.subject, 'invited you to')
33 or strings.icontains(subject.subject, 'shared')
34 or strings.icontains(subject.subject, 'has sent you')
35 or strings.icontains(body.current_thread.text, 'Go to File')
36 or any(body.links, strings.icontains(.display_text, 'Go to File'))
37 )
38
39 // Suspicious document patterns or VIP impersonation
40 and (
41 // Financial document patterns
42 (
43 regex.icontains(subject.subject,
44 '\b(fund|portfolio|agreement|contract|proposal|invoice|payment|wire|settlement|billing|timesheet|hr)\b'
45 )
46 or regex.icontains(body.current_thread.text,
47 '\b(fund|portfolio|agreement|contract|proposal|invoice|payment|wire|settlement|billing|timesheet|hr)\b'
48 )
49 or any(body.links,
50 regex.icontains(.display_text,
51 '\b(fund|portfolio|agreement|contract|proposal|invoice|payment|wire|settlement|billing|timesheet|hr)\b'
52 )
53 )
54 )
55 // Corporate document patterns
56 or (
57 regex.icontains(subject.subject,
58 '\b(urgent|important|confidential|secure|encrypted|document|file)\b'
59 )
60 and regex.icontains(subject.subject,
61 '\b(review|approval|signature|verification|validation)\b'
62 )
63 )
64 )
65
66attack_types:
67 - "Credential Phishing"
68 - "BEC/Fraud"
69 - "Callback Phishing"
70tactics_and_techniques:
71 - "Evasion"
72 - "Social engineering"
73 - "Impersonation: Employee"
74 - "Impersonation: VIP"
75detection_methods:
76 - "Content analysis"
77 - "Natural Language Understanding"
78 - "Sender analysis"
79 - "Header analysis"
80 - "Behavioral analysis"
81id: "5bd0cb25-5984-5f52-9b7b-d7d337eacf7a"