Brand impersonation: Box file sharing service

calendar Sep 23, 2025  ·
Share on: linkedin copy

Detects messages impersonating Box file sharing service by identifying Box logos, collaboration-related language, or Box company address information from senders not associated with the legitimate box.com domain.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Box file sharing service"
 2description: "Detects messages impersonating Box file sharing service by identifying Box logos, collaboration-related language, or Box company address information from senders not associated with the legitimate box.com domain."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      any(ml.logo_detect(file.message_screenshot()).brands, .name == "Box")
10      and any([body.current_thread.text, subject.subject],
11              regex.icontains(.,
12                              'invited you to.{0,10}(?:view|edit|work together|collaborate)',
13                              'items were (?:deleted|added)'
14              )
15      )
16    )
17    // Box address from footer
18    or 2 of (
19      strings.icontains(body.current_thread.text, 'About Box'),
20      strings.icontains(body.current_thread.text, '900 Jefferson Ave'),
21      strings.icontains(body.current_thread.text, 'Redwood City, CA 94063')
22    )
23  )
24  and not (
25    sender.email.domain.root_domain in ("box.com", "liftoff.io")
26    and headers.auth_summary.dmarc.pass
27  )
28  // negate highly trusted sender domains unless they fail DMARC authentication
29  and (
30    (
31      sender.email.domain.root_domain in $high_trust_sender_root_domains
32      and not headers.auth_summary.dmarc.pass
33    )
34    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
35  )
36  // not a forward or reply
37  and (headers.in_reply_to is null or length(headers.references) == 0)
38  // negation for messages traversing box.com
39  // happens with custom sender domains
40  and not (
41    any(headers.domains, .root_domain == "box.com")
42    and headers.auth_summary.spf.pass
43    and headers.auth_summary.dmarc.pass
44  )  
45
46attack_types:
47  - "Credential Phishing"
48tactics_and_techniques:
49  - "Impersonation: Brand"
50  - "Social engineering"
51detection_methods:
52  - "Computer Vision"
53  - "Content analysis"
54  - "Header analysis"
55  - "Sender analysis"
56id: "03da310c-e0b3-50cf-89d7-750295578f7a"
to-top