Figma abuse from compromised vendor used in credential theft attack

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.

EMAIL PROVIDER: Google Workspace

ATTACK TYPE: Credential Phishing

Living Off Trusted Service (LOTS) attacks are spreading across SaaS offerings, now leveraging design tools like Figma and Canva. In a recent attack, a bad actor used a linked Figma file to deliver a credential phishing payload. Using design tools like Figma in LOTS attacks is especially effective because they are commonly used in business, are rarely blocked, look like regular work, and bypass link scanning because the payload is multistage.

The attack starts with the target receiving a message from a compromised vendor email account. The target’s email address is BCC’d and the sender’s address is also the main recipient, indicating this has likely been sent to multiple targets at once. The message lets the target know that there is a link to a request for quote (RFQ) on OneDrive within the linked Figma file.

If the target clicks the link, they’re taken to a Figma file with a Click Here To View | Download Documents link that is supposed to take them to the RFQ on OneDrive that’s referenced in the email.

Clicking that link takes the target to a fake Microsoft login screen (hosted at csoaitv[.]org) that harvests credentials.

Detection signals

Sublime's AI-powered detection engine prevented this attack. Some of the top signals for this attack were:

• Sender as recipient: The email shows the sender’s address as the recipient, a classic self-sender pattern often used in phishing attacks.
• Reference to multiple sharing platforms: The confusion created by referencing multiple file sharing platforms (DropSend, OneDrive, Figma) is a deliberate social engineering tactic.
• Free file host: Figma offers a free plan that could be used to deliver malicious payloads.
• Suspicious subject: The urgency in the subject line combined with grammatical errors are typical phishing indicators.

ASA, Sublime’s Autonomous Security Analyst, flagged this email as malicious. Here is ASA’s analysis summary:

Stay secure against LOTS attacks

LOTS attacks are gaining popularity because they let bad actors hide behind friendly domains. That’s why the most effective email security platforms are adaptive, using AI and machine learning to shine a spotlight on seemingly minor discrepancies.

If you enjoyed this Attack Spotlight, be sure to check our blog every week for new blogs, subscribe to our RSS feed, or sign up for our monthly newsletter. Our newsletter covers the latest blogs, detections, product updates, and more.

Read more Attack Spotlights:

• $500K financial fraud built on BEC, a domain lookalike, and a fake thread
• Tycoon 2FA credential phishing with cloned internal employee login
• Microsoft OAuth URL used as redirect to AITM credential phishing site