Admins can often present an attractive target for bad actors, bringing greater potential access when compromised. To help mitigate this risk, Box will be releasing new zero-trust security enhancements aimed at hardening Box Admins against attack.
We will be adding new restrictions and notifications around the addition of new admins, to help prevent bad actors from leveraging a compromised account and causing further damage by adding themselves as a new, fully permissioned admin account. These enhancements include:
When adding a secondary email address to an admin account, the verification email will be sent to the primary account, rather than the newly added secondary account.
Admins will no longer be able to change an existing email address to be a public or unverified domains (such as gmail or yahoo) for their email address.
We are also improving the process of upgrading existing users to Admins. A verification email will be sent to the primary admin before admin privileges are transferred.