EXPLORE
← Back to Explore
sublimehighRule

Attachment: Canva PDF with susupicious author metadata

Detects inbound messages containing PDF attachments that were created using Canva but have author metadata containing '@proton.me', indicating potential service abuse where legitimate design tools are being misused in conjunction with privacy-focused email services.

Detection Query

type.inbound
and any(filter(attachments, .file_type == "pdf"),
        strings.icontains(beta.parse_exif(.).author, '@proton.me')
        and beta.parse_exif(.).producer == 'Canva'
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Attachment: Canva PDF with susupicious author metadata"
description: "Detects inbound messages containing PDF attachments that were created using Canva but have author metadata containing '@proton.me', indicating potential service abuse where legitimate design tools are being misused in conjunction with privacy-focused email services."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(filter(attachments, .file_type == "pdf"),
          strings.icontains(beta.parse_exif(.).author, '@proton.me')
          and beta.parse_exif(.).producer == 'Canva'
  )
  
attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
tactics_and_techniques:
  - "Free email provider"
  - "PDF"
detection_methods:
  - "Exif analysis"
  - "File analysis"
id: "12ec1122-d090-52d0-b1ac-3f135e45dbc7"