Admins can often present an attractive target for bad actors, bringing greater potential access when compromised. To help mitigate this risk, Box has released new zero-trust security enhancements aimed at hardening Box Admins against attack.
We have added new restrictions and notifications around the addition of new admins, to help prevent bad actors from leveraging a compromised account and causing further damage by adding themselves as a new, fully permissioned admin account. These enhancements include:
-
When adding a secondary email address to an admin account, the verification email is sent to the primary account, rather than the newly added secondary account.
-
Admins are no longer be able to change an existing email address to be a public or unverified domains (such as gmail or yahoo) for their email address.
-
We improved the process of upgrading existing users to Admins. A verification email is be sent to the primary admin before admin privileges are transferred.