Canva infrastructure abuse
A fraudulent invoice/receipt found in the body of the message sent by exploiting Canva's design sharing feature.
Sublime rule (View on GitHub)
1name: "Canva infrastructure abuse"
2description: "A fraudulent invoice/receipt found in the body of the message sent by exploiting Canva's design sharing feature."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(attachments) <= 1
8 and sender.email.domain.root_domain in ("canva.com")
9 and (
10 strings.ilike(body.html.display_text, "*take a look at the design*")
11 or regex.icontains(body.current_thread.text, 'invited.{0,10}(?:class|school)')
12 or strings.icontains(body.current_thread.text, "no longer have access")
13 )
14 and (
15 (
16 // icontains a phone number
17 (
18 regex.icontains(strings.replace_confusables(body.current_thread.text),
19 '.*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\n'
20 )
21 or regex.icontains(strings.replace_confusables(body.current_thread.text),
22 '.*\+[ilo0-9]{1,3}[ilo0-9]{10}.*\n'
23 )
24 or // +12028001238
25 regex.icontains(strings.replace_confusables(body.current_thread.text),
26 '.*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*\n'
27 )
28 or // 202-800-1238
29 regex.icontains(strings.replace_confusables(body.current_thread.text),
30 '.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
31 )
32 or // (202) 800-1238
33 regex.icontains(strings.replace_confusables(body.current_thread.text),
34 '.*\([ilo0-9]{3}\)[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}.*\n'
35 )
36 or // (202)-800-1238
37 regex.icontains(strings.replace_confusables(body.current_thread.text),
38 '.*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
39 )
40 or ( // 8123456789
41 regex.icontains(strings.replace_confusables(body.current_thread.text),
42 '.*8[ilo0-9]{9}.*\n'
43 )
44 and regex.icontains(strings.replace_confusables(body.current_thread.text
45 ),
46 '\+[1l]'
47 )
48 )
49 )
50 and (
51 (
52 4 of (
53 strings.ilike(body.html.inner_text, '*you did not*'),
54 strings.ilike(body.html.inner_text, '*is not for*'),
55 strings.ilike(body.html.inner_text, '*done by you*'),
56 regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
57 strings.ilike(body.html.inner_text, '*Fruad Alert*'),
58 strings.ilike(body.html.inner_text, '*Fraud Alert*'),
59 strings.ilike(body.html.inner_text, '*fraudulent*'),
60 strings.ilike(body.html.inner_text, '*using your PayPal*'),
61 strings.ilike(body.html.inner_text, '*subscription*'),
62 strings.ilike(body.html.inner_text, '*antivirus*'),
63 strings.ilike(body.html.inner_text, '*order*'),
64 strings.ilike(body.html.inner_text, '*support*'),
65 strings.ilike(body.html.inner_text, '*sincerely apologize*'),
66 strings.ilike(body.html.inner_text, '*receipt*'),
67 strings.ilike(body.html.inner_text, '*invoice*'),
68 strings.ilike(body.html.inner_text, '*Purchase*'),
69 strings.ilike(body.html.inner_text, '*transaction*'),
70 strings.ilike(body.html.inner_text, '*Market*Value*'),
71 strings.ilike(body.html.inner_text, '*BTC*'),
72 strings.ilike(body.html.inner_text, '*call*'),
73 strings.ilike(body.html.inner_text, '*get in touch with our*'),
74 strings.ilike(body.html.inner_text, '*quickly inform*'),
75 strings.ilike(body.html.inner_text, '*quickly reach *'),
76 strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
77 strings.ilike(body.html.inner_text, '*without your authorization*'),
78 strings.ilike(body.html.inner_text, '*cancel*'),
79 strings.ilike(body.html.inner_text, '*renew*'),
80 strings.ilike(body.html.inner_text, '*refund*'),
81 strings.ilike(body.html.inner_text, '*+1*'),
82 regex.icontains(body.html.inner_text, 'help.{0,3}desk'),
83 strings.ilike(body.html.inner_text, '* your funds*'),
84 strings.ilike(body.html.inner_text, '* your checking*'),
85 strings.ilike(body.html.inner_text, '* your saving*'),
86 strings.ilike(body.html.inner_text, '*transfer*'),
87 strings.ilike(body.html.inner_text, '*secure your account*'),
88 strings.ilike(body.html.inner_text, '*recover your*'),
89 strings.ilike(body.html.inner_text, '*unusual activity*'),
90 strings.ilike(body.html.inner_text, '*suspicious transaction*'),
91 strings.ilike(body.html.inner_text, '*transaction history*'),
92 strings.ilike(body.html.inner_text, '*please ignore this*'),
93 strings.ilike(body.html.inner_text, '*report activity*'),
94 )
95 )
96 or regex.icontains(body.current_thread.text,
97 'note from.{0,50}(?:call|reach|contact|paypal)'
98 )
99 or any(ml.nlu_classifier(body.current_thread.text).intents,
100 .name == "callback_scam"
101 )
102 or (
103 // Unicode confusables words obfuscated in note
104 regex.icontains(body.html.inner_text,
105 '\+๐ญ|๐ฝ๐ฎ๐๐บ๐ฒ๐ป๐|๐๐ฒ๐น๐ฝ ๐๐ฒ๐๐ธ|๐ฟ๐ฒ๐ณ๐๐ป๐ฑ|๐ฎ๐ป๐๐ถ๐๐ถ๐ฟ๐๐|๐ฐ๐ฎ๐น๐น|๐ฐ๐ฎ๐ป๐ฐ๐ฒ๐น'
106 )
107 )
108 or strings.ilike(body.html.inner_text, '*kindly*')
109 )
110 )
111 )
112
113attack_types:
114 - "BEC/Fraud"
115 - "Callback Phishing"
116tactics_and_techniques:
117 - "Social engineering"
118 - "Impersonation: Brand"
119 - "Impersonation: Employee"
120 - "Free email provider"
121detection_methods:
122 - "Natural Language Understanding"
123 - "Sender analysis"
124 - "Content analysis"
125id: "b69fdb5c-e0c2-5c77-9280-2e473500b915"