← Back to Explore
sublimehighRule
Canva design with suspicious embedded link
Detects when a Canva design contains links to suspicious domains or credential harvesting sites. The rule examines embedded scripts within Canva documents for suspicious URLs and analyzes link text for malicious intent.
Detection Query
type.inbound
and any(body.links,
.href_url.domain.root_domain == "canva.com"
and strings.starts_with(.href_url.path, "/design/")
and any(html.xpath(ml.link_analysis(.).final_dom,
"/html/body/script[2]"
).nodes,
any(regex.iextract(.raw,
'\"[A-Z]\":{[^\}]+\"[a-z]\":\"(?P<display_text>[^\"]+)\"},\"[a-z]\":{[^\}]+"[a-z]":"(?<url>https:\/\/[^\s"'')\]}]+)\"'
),
strings.parse_url(.named_groups["url"]).domain.root_domain not in (
"canva.com",
"sentry.io",
"googleusercontent.com"
)
and (
any(ml.nlu_classifier(.named_groups['display_text']).intents,
.name == "cred_theft"
)
or strings.parse_url(.named_groups["url"]).domain.tld in $suspicious_tlds
or strings.parse_url(.named_groups["url"]).domain.domain in $free_subdomain_hosts
or strings.parse_url(.named_groups["url"]).domain.root_domain in $free_subdomain_hosts
or ml.link_analysis(strings.parse_url(.named_groups["url"]
)
).credphish.disposition == "phishing"
)
)
// parse out links using file.explode
or any(file.explode(.),
any(filter(.scan.url.urls,
.domain.root_domain not in (
"canva.com",
"sentry.io",
"googleusercontent.com"
)
),
.domain.tld in $suspicious_tlds
or .domain.domain in $free_subdomain_hosts
or .domain.root_domain in $free_subdomain_hosts
or ml.link_analysis(.).credphish.disposition == "phishing"
)
)
)
)
and not profile.by_sender_email().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Canva design with suspicious embedded link"
description: "Detects when a Canva design contains links to suspicious domains or credential harvesting sites. The rule examines embedded scripts within Canva documents for suspicious URLs and analyzes link text for malicious intent."
type: "rule"
severity: "high"
source: |
type.inbound
and any(body.links,
.href_url.domain.root_domain == "canva.com"
and strings.starts_with(.href_url.path, "/design/")
and any(html.xpath(ml.link_analysis(.).final_dom,
"/html/body/script[2]"
).nodes,
any(regex.iextract(.raw,
'\"[A-Z]\":{[^\}]+\"[a-z]\":\"(?P<display_text>[^\"]+)\"},\"[a-z]\":{[^\}]+"[a-z]":"(?<url>https:\/\/[^\s"'')\]}]+)\"'
),
strings.parse_url(.named_groups["url"]).domain.root_domain not in (
"canva.com",
"sentry.io",
"googleusercontent.com"
)
and (
any(ml.nlu_classifier(.named_groups['display_text']).intents,
.name == "cred_theft"
)
or strings.parse_url(.named_groups["url"]).domain.tld in $suspicious_tlds
or strings.parse_url(.named_groups["url"]).domain.domain in $free_subdomain_hosts
or strings.parse_url(.named_groups["url"]).domain.root_domain in $free_subdomain_hosts
or ml.link_analysis(strings.parse_url(.named_groups["url"]
)
).credphish.disposition == "phishing"
)
)
// parse out links using file.explode
or any(file.explode(.),
any(filter(.scan.url.urls,
.domain.root_domain not in (
"canva.com",
"sentry.io",
"googleusercontent.com"
)
),
.domain.tld in $suspicious_tlds
or .domain.domain in $free_subdomain_hosts
or .domain.root_domain in $free_subdomain_hosts
or ml.link_analysis(.).credphish.disposition == "phishing"
)
)
)
)
and not profile.by_sender_email().any_messages_benign
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
- "Free file host"
detection_methods:
- "HTML analysis"
- "URL analysis"
- "Natural Language Understanding"
- "Sender analysis"
id: "02959e22-1d87-5172-bb1c-9b8e3136c71c"