type.inbound
// Legitimate Box sending infrastructure
and sender.email.domain.root_domain == "box.com"
// ML classification indicates credential theft with high confidence
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
// Link analysis for credential phishing detection
or any(filter(body.links,
// target the box link
(
.href_url.domain.domain == "app.box.com"
)
),
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
and ml.link_analysis(., mode="aggressive").credphish.confidence in (
"medium",
"high"
)
)
)
// Box file sharing patterns
and (
strings.icontains(subject.subject, 'invited you to')
or strings.icontains(subject.subject, 'shared')
or strings.icontains(subject.subject, 'has sent you')
or strings.icontains(body.current_thread.text, 'Go to File')
or any(body.links, strings.icontains(.display_text, 'Go to File'))
)
// Suspicious document patterns or VIP impersonation
and (
// Financial document patterns
(
regex.icontains(subject.subject,
'\b(fund|portfolio|agreement|contract|proposal|invoice|payment|wire|settlement|billing|timesheet|hr)\b'
)
or regex.icontains(body.current_thread.text,
'\b(fund|portfolio|agreement|contract|proposal|invoice|payment|wire|settlement|billing|timesheet|hr)\b'
)
or any(body.links,
regex.icontains(.display_text,
'\b(fund|portfolio|agreement|contract|proposal|invoice|payment|wire|settlement|billing|timesheet|hr)\b'
)
)
)
// Corporate document patterns
or (
regex.icontains(subject.subject,
'\b(urgent|important|confidential|secure|encrypted|document|file)\b'
)
and regex.icontains(subject.subject,
'\b(review|approval|signature|verification|validation)\b'
)
)
)
Playground
Test against your own EMLs or sample data.