Canva design with suspicious embedded link

calendar Sep 29, 2025  ·
Share on: linkedin copy

Detects when a Canva design contains links to suspicious domains or credential harvesting sites. The rule examines embedded scripts within Canva documents for suspicious URLs and analyzes link text for malicious intent.

Sublime rule (View on GitHub)

 1name: "Canva design with suspicious embedded link"
 2description: "Detects when a Canva design contains links to suspicious domains or credential harvesting sites. The rule examines embedded scripts within Canva documents for suspicious URLs and analyzes link text for malicious intent."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8          .href_url.domain.root_domain == "canva.com"
 9          and strings.starts_with(.href_url.path, "/design/")
10          and any(html.xpath(ml.link_analysis(.).final_dom,
11                             "/html/body/script[2]"
12                  ).nodes,
13                  any(regex.iextract(.raw,
14                                     '\"[A-Z]\":{[^\}]+\"[a-z]\":\"(?P<display_text>[^\"]+)\"},\"[a-z]\":{[^\}]+"[a-z]":"(?<url>https:\/\/[^\s"'')\]}]+)\"'
15                      ),
16                      strings.parse_url(.named_groups["url"]).domain.root_domain not in (
17                        "canva.com",
18                        "sentry.io",
19                        "googleusercontent.com"
20                      )
21                      and (
22                        any(ml.nlu_classifier(.named_groups['display_text']).intents,
23                            .name == "cred_theft"
24                        )
25                        or strings.parse_url(.named_groups["url"]).domain.tld in $suspicious_tlds
26                        or strings.parse_url(.named_groups["url"]).domain.domain in $free_subdomain_hosts
27                        or strings.parse_url(.named_groups["url"]).domain.root_domain in $free_subdomain_hosts
28                        or ml.link_analysis(strings.parse_url(.named_groups["url"]
29                                            )
30                        ).credphish.disposition == "phishing"
31                      )
32                  )
33                  // parse out links using file.explode
34                  or any(file.explode(.),
35                         any(filter(.scan.url.urls,
36                                    .domain.root_domain not in (
37                                      "canva.com",
38                                      "sentry.io",
39                                      "googleusercontent.com"
40                                    )
41                             ),
42                             .domain.tld in $suspicious_tlds
43                             or .domain.domain in $free_subdomain_hosts
44                             or .domain.root_domain in $free_subdomain_hosts
45                             or ml.link_analysis(.).credphish.disposition == "phishing"
46                         )
47                  )
48          )
49  )
50  and not profile.by_sender_email().any_messages_benign  
51
52attack_types:
53  - "Credential Phishing"
54tactics_and_techniques:
55  - "Evasion"
56  - "Social engineering"
57  - "Free file host"
58detection_methods:
59  - "HTML analysis"
60  - "URL analysis"
61  - "Natural Language Understanding"
62  - "Sender analysis"
63id: "02959e22-1d87-5172-bb1c-9b8e3136c71c"
to-top