Brand impersonation: Box file sharing service

calendar Jun 5, 2026  ·
Share on: linkedin copy

Detects messages impersonating Box file sharing service by identifying Box logos, collaboration-related language, or Box company address information from senders not associated with the legitimate box.com domain.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Box file sharing service"
 2description: "Detects messages impersonating Box file sharing service by identifying Box logos, collaboration-related language, or Box company address information from senders not associated with the legitimate box.com domain."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      any(ml.logo_detect(file.message_screenshot()).brands, .name == "Box")
10      and any([body.current_thread.text, subject.subject],
11              regex.icontains(.,
12                              'invited you to.{0,10}(?:view|edit|work together|collaborate)',
13                              'items were (?:deleted|added)'
14              )
15      )
16    )
17    // Box address from footer
18    or 2 of (
19      strings.icontains(body.current_thread.text, 'About Box'),
20      strings.icontains(body.current_thread.text, '900 Jefferson Ave'),
21      strings.icontains(body.current_thread.text, 'Redwood City, CA 94063')
22    )
23    or strings.icontains(body.current_thread.text,
24                         "who is using SignRequest.com, an electronic signature tool"
25    )
26    or strings.icontains(body.current_thread.text, "sent by SignRequest BV")
27  )
28  and not (
29    sender.email.domain.root_domain in (
30      "box.com",
31      "liftoff.io",
32      "signrequest.com"
33    )
34    and coalesce(headers.auth_summary.dmarc.pass, false)
35  )
36  // negate highly trusted sender domains unless they fail DMARC authentication
37  and not (
38    sender.email.domain.root_domain in $high_trust_sender_root_domains
39    and coalesce(headers.auth_summary.dmarc.pass, false)
40  )
41  // not a forward or reply
42  and (headers.in_reply_to is null or length(headers.references) == 0)
43  // negation for messages traversing box.com
44  // happens with custom sender domains
45  and not (
46    any(headers.domains, .root_domain == "box.com")
47    and headers.auth_summary.spf.pass
48    and headers.auth_summary.dmarc.pass
49  )  
50
51attack_types:
52  - "Credential Phishing"
53tactics_and_techniques:
54  - "Impersonation: Brand"
55  - "Social engineering"
56detection_methods:
57  - "Computer Vision"
58  - "Content analysis"
59  - "Header analysis"
60  - "Sender analysis"
61id: "03da310c-e0b3-50cf-89d7-750295578f7a"
to-top