Link: Figma design deck with credential theft language

calendar Mar 4, 2026  ·
Share on: linkedin copy

A single link to a Figma design deck that contains credential theft language. The message comes from either a new sender, one with previously detected malicious activity, or a known sender who has not been in contact for over 30 days and has no history of benign messages.

Sublime rule (View on GitHub)

 1name: "Link: Figma design deck with credential theft language"
 2description: "A single link to a Figma design deck that contains credential theft language. The message comes from either a new sender, one with previously detected malicious activity, or a known sender who has not been in contact for over 30 days and has no history of benign messages."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // only one link to Figma
 8  and length(distinct(filter(body.links,
 9                             .href_url.domain.root_domain in ("figma.com")
10                             and (
11                               strings.istarts_with(.href_url.path, "/deck")
12                               or (
13                                 strings.istarts_with(.href_url.path, "/design")
14                                 and .href_url.query_params is not null
15                               )
16                             )
17                      ),
18                      .href_url.url
19             )
20  ) == 1
21  and any(filter(body.links,
22                 .href_url.domain.root_domain in ("figma.com")
23                 and (
24                   strings.istarts_with(.href_url.path, "/deck")
25                   or (
26                     strings.istarts_with(.href_url.path, "/design")
27                     and .href_url.query_params is not null
28                   )
29                 )
30          ),
31          any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.).screenshot).text).intents,
32              .name == "cred_theft" and .confidence in ("medium", "high")
33          )
34          or any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.).screenshot).text).topics,
35                 .name in ("E-Signature", "Secure Message")
36                 and .confidence != "low"
37          )
38  )
39  and (
40    (
41      profile.by_sender().prevalence in ("new", "outlier")
42      and not profile.by_sender().solicited
43    )
44    or profile.by_sender().any_messages_malicious_or_spam
45    or profile.by_sender().days_since.last_contact > 30
46    // individual sender profile
47    or profile.by_sender_email().days_since.first_contact < 3
48  )
49  and not profile.by_sender().any_messages_benign  
50attack_types:
51  - "Credential Phishing"
52tactics_and_techniques:
53  - "Evasion"
54  - "Free file host"
55  - "Social engineering"
56detection_methods:
57  - "Natural Language Understanding"
58  - "Computer Vision"
59  - "Optical Character Recognition"
60  - "URL analysis"
61  - "URL screenshot"
62  - "Sender analysis"
63id: "87601924-bdeb-5c35-8186-9d2a384fb5ae"
to-top