High Severity
Canva Design With Suspicious Embedded Link
Description
Detects when a Canva design contains links to suspicious domains or credential harvesting sites. The rule examines embedded scripts within Canva documents for suspicious URLs and analyzes link text for malicious intent.
References
No references.
Sublime Security
Created May 5th, 2025 • Last updated May 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and any(body.links,
.href_url.domain.root_domain == "canva.com"
and strings.starts_with(.href_url.path, "/design/")
and any(html.xpath(ml.link_analysis(.).final_dom,
"/html/body/script[2]"
).nodes,
any(regex.iextract(.raw,
'\"[A-Z]\":{[^\}]+\"[a-z]\":\"(?P<display_text>[^\"]+)\"},\"[a-z]\":{[^\}]+"[a-z]":"(?<url>https:\/\/[^\s"'')\]}]+)\"'
),
strings.parse_url(.named_groups["url"]).domain.root_domain not in (
"canva.com",
"sentry.io"
)
and (
any(ml.nlu_classifier(.named_groups['display_text']).intents,
.name == "cred_theft"
)
or strings.parse_url(.named_groups["url"]).domain.tld in $suspicious_tlds
or strings.parse_url(.named_groups["url"]).domain.domain in $free_subdomain_hosts
or strings.parse_url(.named_groups["url"]).domain.root_domain in $free_subdomain_hosts
or ml.link_analysis(strings.parse_url(.named_groups["url"])).credphish.disposition == "phishing"
)
)
)
)
and not profile.by_sender_email().any_messages_benign
Playground
Test against your own EMLs or sample data.