This detection rule aims to identify credential phishing attacks that leverage Box's legitimate infrastructure for file sharing. It specifically looks for emails that appear to be sent from Box's domain, especially those that exhibit signs of credential theft through machine learning classifiers which have flagged content as high confidence for credential theft. The rule includes a strong focus on analyzing textual components of email such as the subject line and body, searching for common phrases associated with Box invitations and file sharing. Furthermore, it also examines links within the email for potential phishing sites disguised as legitimate Box links, employing aggressive link analysis methods to assess their risk level. The rule highlights notable patterns often associated with financial and corporate documents, which are frequently targeted in phishing scams. It includes checks for impersonation attempts that may target employees or VIPs within organizations, thus broadening its detection capabilities against evasion techniques and social engineering practices.