From f4f030d61390b22ec898d17f1e3a0931772c9806 Mon Sep 17 00:00:00 2001 From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com> Date: Fri, 22 May 2026 16:18:57 -0500 Subject: [PATCH 1/4] Create brand_impersonation_figma_doc_access_overlay.yml --- ...impersonation_figma_doc_access_overlay.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 detection-rules/brand_impersonation_figma_doc_access_overlay.yml diff --git a/detection-rules/brand_impersonation_figma_doc_access_overlay.yml b/detection-rules/brand_impersonation_figma_doc_access_overlay.yml new file mode 100644 index 00000000000..5548ee0ea0e --- /dev/null +++ b/detection-rules/brand_impersonation_figma_doc_access_overlay.yml @@ -0,0 +1,29 @@ +name: "Brand impersonation: Figma with malicious document access overlay" +description: "Detects malicious Figma design shares containing brand impersonation or credential phishing content. The rule identifies legitimate Figma share notifications where the embedded thumbnail preview contains "access document" text when OCR'd. Attackers create phishing designs (impersonating Microsoft, DocuSign, or other brands) within Figma, then share them via Figma's legitimate infrastructure to bypass sender reputation checks. The malicious content is rendered in the Figma-hosted thumbnail image itself." +type: "rule" +severity: "high" +source: | + type.inbound + and sender.email.email == "no-reply@email.figma.com" + and length(html.xpath(body.html, + "//img[contains(@src, 'https://api-cdn.figma.com/resize/thumbnails')]" + ).nodes + ) == 1 + and any(html.xpath(body.html, "//img[contains(@src, 'api-cdn.figma.com')]/@src").nodes, + any(file.explode(ml.link_analysis(strings.parse_url(.raw)).screenshot), + strings.icontains(.scan.ocr.raw, "access document") + ) + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" + - "Image as content" +detection_methods: + - "Sender analysis" + - "HTML analysis" + - "URL screenshot" + - "Optical Character Recognition" + - "URL analysis" From 9c4d38af096d1129ae1a9debbc3c5cc0fecbf3ed Mon Sep 17 00:00:00 2001 From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com> Date: Fri, 22 May 2026 16:35:26 -0500 Subject: [PATCH 2/4] Update brand_impersonation_figma_doc_access_overlay.yml Updating formatting --- detection-rules/brand_impersonation_figma_doc_access_overlay.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detection-rules/brand_impersonation_figma_doc_access_overlay.yml b/detection-rules/brand_impersonation_figma_doc_access_overlay.yml index 5548ee0ea0e..93b60d9d11a 100644 --- a/detection-rules/brand_impersonation_figma_doc_access_overlay.yml +++ b/detection-rules/brand_impersonation_figma_doc_access_overlay.yml @@ -14,7 +14,6 @@ source: | strings.icontains(.scan.ocr.raw, "access document") ) ) - attack_types: - "Credential Phishing" tactics_and_techniques: From b00d44e1255de9c01161a017f4d771fd9bc749b0 Mon Sep 17 00:00:00 2001 From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com> Date: Fri, 22 May 2026 16:37:50 -0500 Subject: [PATCH 3/4] Update brand_impersonation_figma_doc_access_overlay.yml --- .../brand_impersonation_figma_doc_access_overlay.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detection-rules/brand_impersonation_figma_doc_access_overlay.yml b/detection-rules/brand_impersonation_figma_doc_access_overlay.yml index 93b60d9d11a..f3c7e28b234 100644 --- a/detection-rules/brand_impersonation_figma_doc_access_overlay.yml +++ b/detection-rules/brand_impersonation_figma_doc_access_overlay.yml @@ -1,5 +1,6 @@ name: "Brand impersonation: Figma with malicious document access overlay" -description: "Detects malicious Figma design shares containing brand impersonation or credential phishing content. The rule identifies legitimate Figma share notifications where the embedded thumbnail preview contains "access document" text when OCR'd. Attackers create phishing designs (impersonating Microsoft, DocuSign, or other brands) within Figma, then share them via Figma's legitimate infrastructure to bypass sender reputation checks. The malicious content is rendered in the Figma-hosted thumbnail image itself." +description: | + "Detects malicious Figma design shares containing brand impersonation or credential phishing content. The rule identifies legitimate Figma share notifications where the embedded thumbnail preview contains "access document" text when OCR'd. Attackers create phishing designs (impersonating Microsoft, DocuSign, or other brands) within Figma, then share them via Figma's legitimate infrastructure to bypass sender reputation checks. The malicious content is rendered in the Figma-hosted thumbnail image itself." type: "rule" severity: "high" source: | From 80d5353979844f92ac2063968ecf8df71c3f8b53 Mon Sep 17 00:00:00 2001 From: CI Bot Date: Fri, 22 May 2026 21:38:57 +0000 Subject: [PATCH 4/4] Auto-format MQL and add rule IDs --- detection-rules/brand_impersonation_figma_doc_access_overlay.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/brand_impersonation_figma_doc_access_overlay.yml b/detection-rules/brand_impersonation_figma_doc_access_overlay.yml index f3c7e28b234..315cadebdcb 100644 --- a/detection-rules/brand_impersonation_figma_doc_access_overlay.yml +++ b/detection-rules/brand_impersonation_figma_doc_access_overlay.yml @@ -27,3 +27,4 @@ detection_methods: - "URL screenshot" - "Optical Character Recognition" - "URL analysis" +id: "fcc7be2c-d4ca-5b66-8e45-c2b5d56ee312"