Attachment: Canva PDF with susupicious author metadata

calendar Jun 5, 2026  ·
Share on: linkedin copy

Detects inbound messages containing PDF attachments that were created using Canva but have author metadata containing '@proton.me', indicating potential service abuse where legitimate design tools are being misused in conjunction with privacy-focused email services.

Sublime rule (View on GitHub)

 1name: "Attachment: Canva PDF with susupicious author metadata"
 2description: "Detects inbound messages containing PDF attachments that were created using Canva but have author metadata containing '@proton.me', indicating potential service abuse where legitimate design tools are being misused in conjunction with privacy-focused email services."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          strings.icontains(beta.parse_exif(.).author, '@proton.me')
 9          and beta.parse_exif(.).producer == 'Canva'
10  )
11    
12attack_types:
13  - "BEC/Fraud"
14  - "Credential Phishing"
15tactics_and_techniques:
16  - "Free email provider"
17  - "PDF"
18detection_methods:
19  - "Exif analysis"
20  - "File analysis"
21id: "12ec1122-d090-52d0-b1ac-3f135e45dbc7"
to-top