Brand impersonation: Figma with malicious document access overlay

 1name: "Brand impersonation: Figma with malicious document access overlay"
 2description: |
 3    "Detects malicious Figma design shares containing brand impersonation or credential phishing content. The rule identifies legitimate Figma share notifications where the embedded thumbnail preview contains "access document" text when OCR'd. Attackers create phishing designs (impersonating Microsoft, DocuSign, or other brands) within Figma, then share them via Figma's legitimate infrastructure to bypass sender reputation checks. The malicious content is rendered in the Figma-hosted thumbnail image itself."
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and sender.email.email == "no-reply@email.figma.com"
 9  and strings.icontains(subject.base, "proposal")
10  and length(html.xpath(body.html,
11                        "//img[contains(@src, 'https://api-cdn.figma.com/resize/thumbnails')]"
12             ).nodes
13  ) == 1
14  //
15  // This rule makes use of a beta feature and is subject to change without notice
16  // using the beta feature in custom rules is not suggested until it has been formally released
17  //
18  and strings.icontains(beta.ocr(file.message_screenshot()).text,
19                        'access document'
20  )  
21attack_types:
22  - "Credential Phishing"
23tactics_and_techniques:
24  - "Impersonation: Brand"
25  - "Social engineering"
26  - "Image as content"
27detection_methods:
28  - "Sender analysis"
29  - "HTML analysis"
30  - "URL screenshot"
31  - "Optical Character Recognition"
32  - "URL analysis"
33id: "fcc7be2c-d4ca-5b66-8e45-c2b5d56ee312"