High Severity

Attachment: Canva PDF with susupicious author metadata

Labels

BEC/Fraud
Credential Phishing
Free email provider
PDF
Exif analysis
File analysis

Description

Detects inbound messages containing PDF attachments that were created using Canva but have author metadata containing '@proton.me', indicating potential service abuse where legitimate design tools are being misused in conjunction with privacy-focused email services.

References

No references.

Sublime Security
Created Jun 5th, 2026 • Last updated Jun 5th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(filter(attachments, .file_type == "pdf"),
        strings.icontains(beta.parse_exif(.).author, '@proton.me')
        and beta.parse_exif(.).producer == 'Canva'
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started