I think that is the crux here. Who is making the attack, is it looking for a specific network so that it can worm its way into internal servers or just a place to download child porn and let someone else take the fall? The attack depends upon the box being inconspicuous enough and buried deep enough in the slush pile to do its work and jimmy the virtual locks.
Which begs the question of who has a mail room, as smaller companies only take a few minutes to distribute packages. So that means attacking a business that has its own building in some industrial park at minimum. Most likely manufacturing.
And now the question is: why? What are you hoping to accomplish, once you’re in? Steal information from competitors? Find out what products they are planning, or steal their bid proposals to outbid them? Or just vandalise their files in the hopes of driving them into bankruptcy?
I am overthinking this. I keep forgetting that people can simply be assholes.
I would bet you could easily create a piece of marketing swag that looks like it comes from IBM, Oracle, Cisco, any of 1,000 smaller vendors. Snaplogic literally sent me a pair of socks a few years ago with some marketing material. Put it in a box, with an insert to hold the paper on top flat, sock (or other swag) in the center with raised areas on both sides of it, glue the insert into the box so it’s not likely to be removed. Put whatever you need underneath in the void space.
Mail the fake marketing item to someone based on LinkedIn that works in the correct area. Watch it sit for weeks before being thrown out.
The physical mail part of this hack is the easiest part. It’s barely a step up from leaving USB keys in the parking lot. Getting the payload to work right is the harder part.
I get that this seems like a new attack vector but, not really. Most of the time, it’s far easier to just sit outside a building of the company you are targeting, pickup their wifi from there and do your business. It’s not like wi-fi networks respect property boundaries or most physical security measures. The whole process of building a specialized device and shipping it seems like a waste for most use cases. I suppose it might help for same particularly well protected datacenters, but even then, if there’s wifi inside, there’s almost certainly the same but somewhat weaker wifi signal available out in the parking lot.