Medium Severity

Brand impersonation: Box file sharing service

Labels

Credential Phishing

Impersonation: Brand

Description

Detects messages impersonating Box file sharing service by identifying Box logos, collaboration-related language, or Box company address information from senders not associated with the legitimate box.com domain.

References

No references.

Sublime Security

Created Sep 23rd, 2025 • Last updated Sep 23rd, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  (
    any(ml.logo_detect(file.message_screenshot()).brands, .name == "Box")
    and any([body.current_thread.text, subject.subject],
            regex.icontains(.,
                            'invited you to.{0,10}(?:view|edit|work together|collaborate)',
                            'items were (?:deleted|added)'
            )
    )
  )
  // Box address from footer
  or 2 of (
    strings.icontains(body.current_thread.text, 'About Box'),
    strings.icontains(body.current_thread.text, '900 Jefferson Ave'),
    strings.icontains(body.current_thread.text, 'Redwood City, CA 94063')
  )
)
and not (
  sender.email.domain.root_domain in ("box.com", "liftoff.io")
  and headers.auth_summary.dmarc.pass
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// not a forward or reply
and (headers.in_reply_to is null or length(headers.references) == 0)
// negation for messages traversing box.com
// happens with custom sender domains
and not (
  any(headers.domains, .root_domain == "box.com")
  and headers.auth_summary.spf.pass
  and headers.auth_summary.dmarc.pass
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.