Link: Figma Design Deck With Credential Phishing Language
A single link to a Figma design deck that contains credential theft language. The message comes from either a new sender, one with previously detected malicious activity, or a known sender who has not been in contact for over 30 days and has no history of benign messages.
Sublime rule (View on GitHub)
1name: "Link: Figma Design Deck With Credential Phishing Language"
2description: "A single link to a Figma design deck that contains credential theft language. The message comes from either a new sender, one with previously detected malicious activity, or a known sender who has not been in contact for over 30 days and has no history of benign messages."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // only one link to Figma
8 and length(distinct(filter(body.links,
9 .href_url.domain.root_domain in ("figma.com")
10 and strings.istarts_with(.href_url.path, "/deck")
11 ),
12 .href_url.url
13 )
14 ) == 1
15 and any(filter(body.links,
16 .href_url.domain.root_domain in ("figma.com")
17 and strings.istarts_with(.href_url.path, "/deck")
18 ),
19 any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.).screenshot).text).intents,
20 .name == "cred_theft" and .confidence in ("medium", "high")
21 )
22 )
23 and (
24 (
25 profile.by_sender().prevalence in ("new", "outlier")
26 and not profile.by_sender().solicited
27 )
28 or profile.by_sender().any_messages_malicious_or_spam
29 or profile.by_sender().days_since.last_contact > 30
30 )
31 and not profile.by_sender().any_messages_benign
32
33attack_types:
34 - "Credential Phishing"
35tactics_and_techniques:
36 - "Evasion"
37 - "Free file host"
38 - "Social engineering"
39detection_methods:
40 - "Natural Language Understanding"
41 - "Computer Vision"
42 - "Optical Character Recognition"
43 - "URL analysis"
44 - "URL screenshot"
45 - "Sender analysis"
46id: "87601924-bdeb-5c35-8186-9d2a384fb5ae"