Canva Infrastructure Abuse
A fraudulent invoice/receipt found in the body of the message sent by exploiting Canva's design sharing feature.
Sublime rule (View on GitHub)
1name: "Canva Infrastructure Abuse"
2description: "A fraudulent invoice/receipt found in the body of the message sent by exploiting Canva's design sharing feature."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(attachments) == 1
8 and sender.email.domain.root_domain in ("canva.com")
9 and strings.ilike(body.html.display_text, "*take a look at the design*")
10 and (
11 (
12 // icontains a phone number
13 (
14 regex.icontains(strings.replace_confusables(body.current_thread.text),
15 '.*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\n'
16 )
17 or regex.icontains(strings.replace_confusables(body.current_thread.text),
18 '.*\+[ilo0-9]{1,3}[ilo0-9]{10}.*\n'
19 )
20 or // +12028001238
21 regex.icontains(strings.replace_confusables(body.current_thread.text),
22 '.*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*\n'
23 )
24 or // 202-800-1238
25 regex.icontains(strings.replace_confusables(body.current_thread.text),
26 '.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
27 )
28 or // (202) 800-1238
29 regex.icontains(strings.replace_confusables(body.current_thread.text),
30 '.*\([ilo0-9]{3}\)\s[ilo0-9]{3}-[ilo0-9]{4}.*\n'
31 )
32 or // (202)-800-1238
33 regex.icontains(strings.replace_confusables(body.current_thread.text),
34 '.*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
35 )
36 or ( // 8123456789
37 regex.icontains(strings.replace_confusables(body.current_thread.text),
38 '.*8[ilo0-9]{9}.*\n'
39 )
40 and regex.icontains(strings.replace_confusables(body.current_thread.text
41 ),
42 '\+[1l]'
43 )
44 )
45 )
46 and (
47 (
48 4 of (
49 strings.ilike(body.html.inner_text, '*you did not*'),
50 strings.ilike(body.html.inner_text, '*is not for*'),
51 strings.ilike(body.html.inner_text, '*done by you*'),
52 regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
53 strings.ilike(body.html.inner_text, '*Fruad Alert*'),
54 strings.ilike(body.html.inner_text, '*Fraud Alert*'),
55 strings.ilike(body.html.inner_text, '*fraudulent*'),
56 strings.ilike(body.html.inner_text, '*using your PayPal*'),
57 strings.ilike(body.html.inner_text, '*subscription*'),
58 strings.ilike(body.html.inner_text, '*antivirus*'),
59 strings.ilike(body.html.inner_text, '*order*'),
60 strings.ilike(body.html.inner_text, '*support*'),
61 strings.ilike(body.html.inner_text, '*sincerely apologize*'),
62 strings.ilike(body.html.inner_text, '*receipt*'),
63 strings.ilike(body.html.inner_text, '*invoice*'),
64 strings.ilike(body.html.inner_text, '*Purchase*'),
65 strings.ilike(body.html.inner_text, '*transaction*'),
66 strings.ilike(body.html.inner_text, '*Market*Value*'),
67 strings.ilike(body.html.inner_text, '*BTC*'),
68 strings.ilike(body.html.inner_text, '*call*'),
69 strings.ilike(body.html.inner_text, '*get in touch with our*'),
70 strings.ilike(body.html.inner_text, '*quickly inform*'),
71 strings.ilike(body.html.inner_text, '*quickly reach *'),
72 strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
73 strings.ilike(body.html.inner_text, '*without your authorization*'),
74 strings.ilike(body.html.inner_text, '*cancel*'),
75 strings.ilike(body.html.inner_text, '*renew*'),
76 strings.ilike(body.html.inner_text, '*refund*'),
77 strings.ilike(body.html.inner_text, '*+1*'),
78 regex.icontains(body.html.inner_text, 'help.{0,3}desk'),
79 strings.ilike(body.html.inner_text, '* your funds*'),
80 strings.ilike(body.html.inner_text, '* your checking*'),
81 strings.ilike(body.html.inner_text, '* your saving*'),
82 strings.ilike(body.html.inner_text, '*transfer*'),
83 strings.ilike(body.html.inner_text, '*secure your account*'),
84 strings.ilike(body.html.inner_text, '*recover your*'),
85 strings.ilike(body.html.inner_text, '*unusual activity*'),
86 strings.ilike(body.html.inner_text, '*suspicious transaction*'),
87 strings.ilike(body.html.inner_text, '*transaction history*'),
88 strings.ilike(body.html.inner_text, '*please ignore this*'),
89 strings.ilike(body.html.inner_text, '*report activity*'),
90 )
91 )
92 or regex.icontains(body.current_thread.text,
93 'note from.{0,50}(?:call|reach|contact|paypal)'
94 )
95 or any(ml.nlu_classifier(body.current_thread.text).intents,
96 .name == "callback_scam"
97 )
98 or (
99 // Unicode confusables words obfuscated in note
100 regex.icontains(body.html.inner_text,
101 '\+๐ญ|๐ฝ๐ฎ๐๐บ๐ฒ๐ป๐|๐๐ฒ๐น๐ฝ ๐๐ฒ๐๐ธ|๐ฟ๐ฒ๐ณ๐๐ป๐ฑ|๐ฎ๐ป๐๐ถ๐๐ถ๐ฟ๐๐|๐ฐ๐ฎ๐น๐น|๐ฐ๐ฎ๐ป๐ฐ๐ฒ๐น'
102 )
103 )
104 or strings.ilike(body.html.inner_text, '*kindly*')
105 )
106 )
107 )
108
109attack_types:
110 - "BEC/Fraud"
111 - "Callback Phishing"
112tactics_and_techniques:
113 - "Social engineering"
114 - "Impersonation: Brand"
115 - "Impersonation: Employee"
116 - "Free email provider"
117detection_methods:
118 - "Natural Language Understanding"
119 - "Sender analysis"
120 - "Content analysis"
121id: "b69fdb5c-e0c2-5c77-9280-2e473500b915"