How Hackers Abuse Canva to Distribute Phishing Attacks

Canva’s public-sharing feature turns every design into a web page served from the iron-clad canva.com domain, a gift to attackers who thrive on borrowed trust. In a typical Canva-phishing play, a criminal publishes a harmless-looking design, emails the link, and watches both secure email gateways and users drop their guard. One click later, hidden JavaScript shuts down the browser and sends it to a credential-harvesting site or malware dropper.

In this blog, we’ll dissect a real Canva-based attack step by step, showing exactly how the redirect chain works, what indicators of compromise surfaced during the investigation, and how you can break the kill chain with layered defenses.

How Canva Phishing Works?

Cybercriminals cleverly utilize Canva's legitimate design-sharing features to distribute phishing links disguised as ordinary content. By leveraging Canva’s trusted domain, attackers significantly increase their chances of bypassing email and web filtering systems.

Typically, hackers create designs that mimic genuine documents or websites, embedding malicious URLs directly within Canva projects. These malicious designs are then shared publicly, giving the attackers a credible, Canva-hosted link. Unsuspecting users who trust Canva’s domain are more likely to click on these links, inadvertently compromising their sensitive information or credentials.

Canva-Based Phishing Scam: Step-by-Step Analysis

Canva lets anyone publish a design as a public web page or short “canva[.]site” link. Threat actors abuse that trust: a link that looks like a harmless Canva presentation is really just the first hop in a credential-harvesting chain that can slip past secure-email gateways (SEGs) and reputation filters.

Below is a deeper, more technical look at each stage of the attack, with the red flags defenders should key on.

1. Spoofed “Accounts Payable” Email

The campaign begins with an HTML email sporting a forged display name (e.g., “Accounts Payable noreply@payments-alerts.com”).

• Reputation bypass: The clickable URL is https://www.canva[.]com/design/… or https://mycompany.canva.site/payment-notice—a domain most SEGs treat as benign, so the message sails through DMARC/SFP/DKIM checks.
• Payload delivery: An <a> tag wrapped around an innocuous Canva thumbnail makes the lure look like a PDF invoice awaiting review.

Defender tip: Add an allow-list exception only for authenticated internal Canva accounts; treat externally created Canva links as neutral or unknown.

2. Fake CAPTCHA Gate

Clicking the Canva link opens the design in “web-presentation” mode. The first slide contains an embedded fake reCAPTCHA v2 widget obtained legitimately from Google.

• Human-verification theater: Because the CAPTCHA fires from www.google.com/recaptcha/*, the browser’s network pane shows a trusted origin, tricking savvy users.
• Hidden redirect: The CAPTCHA’s success callback triggers window.location.replace() to an attacker-controlled URL stored inside the design’s JavaScript block—code that Canva does not sanitize for outbound links.

3. Counterfeit Google OAuth Portal

The user is now on hxxps://login-secure-accounts[.]xyz/ServiceLogin?..., a pixel-perfect clone of Google’s OAuth flow built with open-source Mr.D0x Browser-in-the-Browser (BitB) framework.

• BitB illusion: A JavaScript-rendered “browser frame” hides the real address bar, displaying accounts.google.com even though the parent origin is malicious.
• Multi-factor replay: The phish accepts passwords, then immediately asks for a one-time code, forwarding both to an attacker-side reverse-proxy that relays them to Google in real time.

Defender tip: Enforce universal WebAuthn or FIDO2 tokens; password+OTP alone is insufficient against real-time relay attacks.

4. Initial URL Scan Looks Clean

Security-operations teams who triage the original email often submit the Canva link to VirusTotal or URLhaus. Because the file lives on a trusted Canva sub-domain and contains no direct credential-harvest code, >90 % of engines return “Clean”.

Side-car delivery: The malicious JavaScript only fires after user interaction (CAPTCHA success callback), so static scanners miss it.

5. Final Hop Flagged as Phishing/Malware

The external site—now several hops removed from the inbox—gets a very different verdict: multiple engines tag the domain for phishing, malware dropper scripts, or both.

Command-and-control staging: After stealing credentials, the page pushes an obfuscated JS blob that fingerprints the browser and, on Windows, attempts an .hta payload download that side-loads Cobalt Strike.

Canva’s legitimate sharing feature gives adversaries a clean launchpad. By chaining a CAPTCHA, a look-alike OAuth window, and fast redirect logic, they short-circuit both technical and human defenses. Build controls that treat every domain—trusted or not—as guilty until proven otherwise.

Real-World Indicators of Compromise (IoCs) of Canva Phishing

Below are the two confirmed artifacts from the campaign, described in-depth so you can recognise them, and anything that resembles them.

IOC #1 — Canva-Hosted Lure

https://www.canva.com/design/DAGp9eU-YSU/sMqhyPZnufuqyJeSK1-nQw/view?utm_content=DAGp9eU-YSU&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h2ea2a50831

Why it raises red flags:

• Reputation piggy-backing: Anything under canva.com is usually considered safe and is allow-listed by many secure-email gateways. Attackers abuse that trust to glide through DMARC/SFP/DKIM and reputation checks.
• Public-design fingerprint: The path segment /design/<ID>/…/view tells you this is a published Canva “website,” not a private team document. Public designs can embed arbitrary JavaScript that Canva does not sanitise.
• Telemetry camouflage: Multiple utm_ parameters (utm_content, utm_campaign, utm_medium, utm_source) mimic legitimate marketing links, discouraging deeper inspection by both humans and automated tools.
• On-click redirection: The design contains a small script that executes only after the victim clicks a button such as “View Invoice.” It calls window.location.replace() to shuttle the browser to the attacker’s next stage—behaviour static sandboxes usually miss.

Detection & response tips:

1. Treat every external Canva URL that ends in /view and carries utm_ parameters as grey until detonated in a click-aware sandbox.
2. If your organisation uses Canva internally, create allow-list rules that trust only URLs signed by your corporate Canva tenant; quarantine everything else for human review.
3. Instrument mail filters to flag messages where a Canva link appears alongside finance-themed language (invoice, payment, statement) originating from outside your domain.

IOC #2 — Secondary Phishing Host

https://f75gs.itchriat.com/RWCVHZDYCGWOLJFSTZSLSOJPSSXOELEHBJOPQZOSXMW0STH0BCVY5KO0OPQ8Y673Z2M7FGKVZ5LXQMG?UTVGMMHLFVRXJETLWWWNQZFRVIBSPOTIJWSJYZSZPUVOMSHVUU

Why it raises red flags:

• Fresh infrastructure: The apex domain itchriat.com was registered only a few days before the campaign and hides its WHOIS data behind a privacy proxy. Newly minted domains are common in hit-and-run phishing operations.
• Cloudflare fronting: The site sits behind Cloudflare, masking its true hosting provider and IP history, which complicates takedown and attribution efforts.
• Path high-entropy: A 64-character base-32 slug in the path, followed by an equally long query string, indicates an automated phishing kit that generates unique tokens for each target. High-entropy paths are rarely used in legitimate web applications.
• Payload behaviour: When loaded, the site serves a Browser-in-the-Browser (BitB) clone of the Google sign-in flow. After stealing credentials and one-time codes, it delivers an obfuscated JavaScript blob. On Windows hosts, that script tries to fetch an .hta file that side-loads a Cobalt Strike or Sliver beacon.

Detection & response tips:

1. Block or challenge outbound connections to domains less than 30 days old unless business-justified.
2. Configure your web proxy to flag URLs whose path or query segment exceeds a length threshold (for example, 40 random characters) or contains improbable character distribution.
3. Hunt retrospectively in DNS and proxy logs for any traffic to itchriat.com or sub-domains—especially if the User-Agent string matches Chrome/Edge on Windows and the HTTP method is GET for .hta or large JavaScript files.

Why This Two-Step Method Is So Dangerous

1. Brand trust lowers human scepticism. Canva’s well-known domain persuades users, and automated filters, that the email is harmless.
2. Staged delivery beats static analysis. The Canva page itself is “clean” until the user clicks, so traditional URL site-reputation and sandbox detonation see no overt malicious content.
3. Real-time credential proxying. The second host captures passwords and multi-factor codes via a live reverse proxy, defeating SMS and authenticator-app OTPs.
4. Rapid retooling. Even if law enforcement or the Canva abuse team pulls the design, a new public link with the same JavaScript can be live in minutes; the attacker only needs to update the URLs in their spam templates.

Immediate Defensive Moves (no table, just action items)

• Email controls – Rewrite, quarantine, or at least banner-wrap any external Canva links that point to a design with /view and utm_ parameters.
• Network controls – Reject outbound traffic to domains <30 days old; monitor for high-entropy URL paths; enable full TLS inspection where policy permits.
• Identity hardening – Accelerate roll-out of phishing-resistant WebAuthn/FIDO2 tokens and disable legacy MFA fallbacks that can be proxied.
• Threat-intel ingestion – Feed both IoCs into your SIEM and EDR block lists, then run retrospective hunts for hits over the past 30 days.

Bottom line: A single Canva link can launch a sophisticated multi-stage phish that sidesteps both human intuition and legacy security controls. Treat well-known domains as conditionally trusted, not inherently safe, and instrument your defences to recognise the behavioural markers outlined above.

Building a Defense-in-Depth Strategy Against Canva-Style Phishing

Phishing campaigns that piggyback on well-loved brands like Canva succeed precisely because they look ordinary. Below is a practical, technically focused playbook you can apply right now—no silver bullets, just layered controls that force an attacker to clear multiple hurdles before they ever reach an employee’s inbox.

1. Make Security Awareness a Continuous Process

• Run monthly “micro-training” boosts. Five-minute modules on the latest lures (e.g., CAPTCHA-redirect, Browser-in-the-Browser) keep muscle memory fresh without overwhelming staff.
• Focus on trusted-brand abuse. Show real Canva, Google Docs, and Microsoft links side-by-side with malicious look-alikes so users learn the subtle tells—odd sub-paths, excessive tracking parameters, or a /view?utm_… tail.
• Measure and adapt. Use Keepnet’s Security Awareness Training analytics to flag departments or job roles that keep clicking test phishes and schedule extra coaching for those cohorts.

2. Inspect Every Link, Even When It Sits on a “Good” Domain

• Hover and expand. Train employees to pause for two seconds, hover, and read the full URL from right to left (<domain>/<path>?<params>).
• Time-of-click rewriting. Configure your secure-email gateway or proxy to pass all external Canva URLs through a detonation sandbox that simulates user clicks and JavaScript execution.
• Gray-list policy. Whitelist only Canva links generated by your corporate tenant; treat everything else as untrusted until proven benign.

3. Deploy Phishing-Resistant MFA Everywhere

• Move beyond OTP. One-time codes (SMS, authenticator apps) can be proxied in real time by tools like Evilginx. Shift high-value accounts to hardware-bound FIDO2 / WebAuthn tokens.
• Enforce conditional access. Even with strong MFA, require extra scrutiny for first-time logins from new devices or IP ranges outside your normal geography.
• Audit fallback channels. Disable “SMS recovery” or “email reset” paths that attackers can exploit once they steal primary credentials.

4. Establish a Zero-Penalty Reporting Culture

• One-click report button. Integrate Keepnet’s Phishing Simulator Outlook/Gmail add-in so staff can forward suspicious Canva designs or links straight to the SOC with a single tap.
• Response SLAs. Publish clear expectations: security will acknowledge every report within 15 minutes and share the verdict within one hour. Fast feedback keeps users engaged.
• Gamify good catches. Award micro-rewards or leaderboard points when someone spots a sophisticated lure; positive reinforcement beats shaming.

5. Harden the Back-End—Because Users Will Still Slip

• DNS egress filtering. Block look-ups to domains registered in the last 30 days or those with high-entropy hostnames (abcd1234[.]com).
• Browser isolation. Route untrusted Canva links through a cloud browser that executes JavaScript away from the endpoint.

Continuous Vigilance Is Non-Negotiable

Threat actors iterate faster than any security stack. Your counter-move is an adaptable program that mixes people, process, and technology:

• People: Regular, targeted awareness refreshers.
• Process: Clear escalation paths for anything that looks off.
• Technology: Phishing-resistant MFA, click-time URL inspection, and analytics from platforms like Keepnet to reveal weak spots.

Stay alert, refine your defenses, and remember: every successful phish begins with a single click that felt safe. Make that click just uncertain enough to give your users— and your security stack—time to block it.