High Severity

Brand impersonation: Figma with malicious document access overlay

Labels

Credential Phishing
Impersonation: Brand
Social engineering
Image as content
Sender analysis
HTML analysis
URL screenshot
Optical Character Recognition
URL analysis

Description

"Detects malicious Figma design shares containing brand impersonation or credential phishing content. The rule identifies legitimate Figma share notifications where the embedded thumbnail preview contains "access document" text when OCR'd. Attackers create phishing designs (impersonating Microsoft, DocuSign, or other brands) within Figma, then share them via Figma's legitimate infrastructure to bypass sender reputation checks. The malicious content is rendered in the Figma-hosted thumbnail image itself."

References

No references.

Sublime Security
Created May 27th, 2026 • Last updated May 27th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and sender.email.email == "no-reply@email.figma.com"
and strings.icontains(subject.base, "proposal")
and length(html.xpath(body.html,
                      "//img[contains(@src, 'https://api-cdn.figma.com/resize/thumbnails')]"
           ).nodes
) == 1
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and strings.icontains(beta.ocr(file.message_screenshot()).text,
                      'access document'
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started