Canva Design With Suspicious Embedded Link
Detects when a Canva design contains links to suspicious domains or credential harvesting sites. The rule examines embedded scripts within Canva documents for suspicious URLs and analyzes link text for malicious intent.
Sublime rule (View on GitHub)
1name: "Canva Design With Suspicious Embedded Link"
2description: "Detects when a Canva design contains links to suspicious domains or credential harvesting sites. The rule examines embedded scripts within Canva documents for suspicious URLs and analyzes link text for malicious intent."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(body.links,
8 .href_url.domain.root_domain == "canva.com"
9 and strings.starts_with(.href_url.path, "/design/")
10 and any(html.xpath(ml.link_analysis(.).final_dom,
11 "/html/body/script[2]"
12 ).nodes,
13 any(regex.iextract(.raw,
14 '\"[A-Z]\":{[^\}]+\"[a-z]\":\"(?P<display_text>[^\"]+)\"},\"[a-z]\":{[^\}]+"[a-z]":"(?<url>https:\/\/[^\s"'')\]}]+)\"'
15 ),
16 strings.parse_url(.named_groups["url"]).domain.root_domain not in (
17 "canva.com",
18 "sentry.io"
19 )
20 and (
21 any(ml.nlu_classifier(.named_groups['display_text']).intents,
22 .name == "cred_theft"
23 )
24 or strings.parse_url(.named_groups["url"]).domain.tld in $suspicious_tlds
25 or strings.parse_url(.named_groups["url"]).domain.domain in $free_subdomain_hosts
26 or strings.parse_url(.named_groups["url"]).domain.root_domain in $free_subdomain_hosts
27 or ml.link_analysis(strings.parse_url(.named_groups["url"])).credphish.disposition == "phishing"
28 )
29 )
30 )
31 )
32 and not profile.by_sender_email().any_messages_benign
33
34attack_types:
35 - "Credential Phishing"
36tactics_and_techniques:
37 - "Evasion"
38 - "Social engineering"
39 - "Free file host"
40detection_methods:
41 - "HTML analysis"
42 - "URL analysis"
43 - "Natural Language Understanding"
44 - "Sender analysis"
45id: "02959e22-1d87-5172-bb1c-9b8e3136c71c"