context safety score
A score of 53/100 indicates minor risk signals were detected. The entity may be legitimate but has characteristics that warrant attention.
phishing
Page impersonates Microsoft Office 365 login with credential form
phishing
Page impersonates Google sign-in with credential form
credential harvesting
The page at eel-jp.box.com presents a login form that POSTs credentials to /login on the subdomain eel-jp.box.com. The subdomain 'eel-jp' is atypical for Box's legitimate login infrastructure (which uses account.box.com or app.box.com). The form collects email address and password under the Box brand, making this a potential credential harvesting page targeting Box users. (location: page.html:273 — <form id="login-form" method="POST" action="/login?redirect_url=%2F">)
brand impersonation
The page fully replicates Box.com's login UI including Box SVG logo, Box color scheme (#0061D5), Box CDN assets (cdn01.boxcdn.net), and Box copyright (©2026 Box). The domain eel-jp.box.com uses an anomalous subdomain pattern inconsistent with Box's standard login domains, raising the possibility this is a subdomain-takeover or misconfigured tenant being used to impersonate Box's login page to harvest credentials. (location: page.html:1-312 — full page branding, header logo, CSS, CDN asset references)
phishing
The combination of Box brand impersonation on a suspicious subdomain (eel-jp.box.com), a credential collection form, and a 'Sign In to Your Account' prompt constitutes a classic phishing pattern. Users directed to this URL may believe they are on Box's legitimate login portal and submit their credentials. (location: page-text.txt:185 — 'Sign In to Your Account ... Email Address ... Next')
credential harvesting
The HTML contains a honeypot/anti-automation field named '_pw_sql' (type text, display:none) alongside a hidden dummy-password field (type password, class hidden). While these can be legitimate bot-trap techniques, on a suspicious subdomain they may also be used to capture additional input or fingerprint automated form-filling agents. (location: page.html:274 — <input type="text" style="display: none" name="_pw_sql"><input type="password" class="hidden" name="dummy-password">)
malicious redirect
The login form action includes redirect_url=/ and the page sets a redirect_url hidden input. The pre-scan context reported 3 redirects in the chain leading to this page. Chained redirects combined with a redirect_url parameter on a suspicious subdomain could be used to forward users to a malicious destination after credential submission. (location: page.html:273 — action="/login?redirect_url=%2F" and hidden input name="redirect_url" value="/")
curl https://api.brin.sh/domain/eel-jp.box.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
eel-jp.box.com currently scores 53/100 with a caution verdict and medium confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.