Inside the New Wave of Phishing Attacks Exploiting Trusted Design and Diagramming Tools

It feels like just another project update, proposal review, or design collaboration request. But behind that veneer of legitimacy is a carefully crafted scheme to steal credentials.

As observed by Abnormal, attackers are exploiting trusted design and diagramming platforms like Canva, Lucidchart, and Figma to deliver phishing campaigns that are nearly impossible to spot. Instead of embedding malicious links directly in emails—where security tools might detect them—threat actors use these widely trusted tools to host phishing content, hiding behind familiar interfaces and well-designed notifications.

This shift isn’t random—it’s calculated, and it’s working. As attackers take advantage of the very platforms organizations rely on to do business, traditional defenses fall short.

In this post, we’ll explore how these attacks unfold, why they’re so effective, and what organizations must do to stop trust from becoming their greatest vulnerability.

Across multiple attacks, we see a consistent pattern emerge:

1. Attackers send an email impersonating a trusted sender, often using convincing pretexts such as business proposals, project updates, or secure document requests.

2. The email contains a link to a real design or diagramming tool, such as a Canva project, a Figma file, or a Lucidchart diagram, making it appear harmless.

3. Once the recipient clicks on the link, they are led to a shared document hosted on the actual platform, reinforcing legitimacy.

4. Each of the embedded malicious links redirects through a Cloudflare Turnstile, preventing automated security tools from analyzing the malicious link.

5. Following completion of the verification test, the target is directed to an external phishing page, typically disguised as a Microsoft login portal, which attackers use to steal their credentials.

Let’s take a closer look at some real-world examples.

Case Study: Canva Phishing Attack

In one phishing campaign, attackers impersonated a business consultant from a general contracting company. The email subject referenced a “New Project PRJ165044765” and included a link to a Canva design hosted on Canva’s actual platform.

Once recipients clicked "View Project," they were led to a project page on Canva, where they were presented with a message claiming they had one new file available to view.

If a target clicked the “View Complete Document” link on the Canva page, they were redirected to a Cloudflare Turnstile—a CAPTCHA-free bot detection tool. This ensured that only real users—not basic automated security tools—could access the site.

Once the Cloudflare verification test was complete, a Microsoft Outlook logo was displayed and the target was ultimately redirected to a fraudulent Microsoft sign-in portal, designed to steal login credentials.

Case Study: Lucidchart Phishing Attack

Another phishing attempt targeted legal professionals by impersonating a law firm.

The attackers first compromised a vendor account to distribute what they claimed were “confidential documents” via Whimsical. Because the email came from a trusted vendor domain, it passed authentication checks, reinforcing legitimacy and making it more likely to bypass security filters.

Additionally, hosting the phishing link within Whimsical added credibility, as the platform is widely used for business collaboration, increasing the probability that recipients would engage with the document.

In this particular example, when the recipient couldn’t access the document, they unknowingly reached out to the attacker for an alternative method. Seizing the opportunity, the attacker pivoted to Lucidchart to resend the phishing link, further reinforcing the believability of the attack. This multi-platform approach reduced suspicion and increased the chances of success.

If the target clicked on the link embedded within the email to view the document (which the message claimed was encrypted for security—further enhancing the appearance of legitimacy), they would be redirected to a Lucidchart page with instructions on how to access the shared document.

Again, the threat actors here incorporated a Cloudflare Turnstile, preventing automated link crawling and URL analysis by basic security tools.

Once more, following the completion of the verification test, the target would be redirected to a fake Microsoft login portal, and any information entered into the page would be sent directly to the attacker.

Case Study: Figma Phishing Attack

Another attack launched around the same time used Figma, a popular design collaboration tool, to distribute a malicious request for proposal (RFP). The email, disguised as a business request from a pest control company and sent via a compromised account, included a link to a shared Figma file.

Clicking on either of the links embedded in the email redirected targets first to a Figma page designed to appear as a notification regarding an RFP.

As with the other two attacks, Cloudflare Turnstile verification was required before accessing the phishing page, effectively blocking security tools from evaluating the final URL.

From there, the recipient would be redirected to a fake Microsoft login portal, where attackers attempted to harvest credentials.

These attacks are particularly effective because they take advantage of trusted platforms to evade detection while preying on human psychology.

Since the phishing emails originate from known services like Canva, Lucidchart, and Figma, security tools often fail to flag them as suspicious. Unlike traditional phishing attacks, where the malicious link is embedded in the email body, these campaigns bury the phishing link within shared documents, making it more difficult for automated scanning tools to detect them.

Beyond the technical evasion, these attacks exploit common workplace behaviors. Professionals regularly receive file-sharing notifications for projects, invoices, and design reviews, making them less likely to scrutinize these messages.

Additionally, the email subjects and content often introduce a sense of urgency, such as contract proposals that require immediate review or time-sensitive project updates. This pressure discourages critical thinking, increasing the likelihood of engagement.

Legacy secure email gateways (SEGs) struggle to identify these attacks because they do not exhibit the typical characteristics of phishing emails.

Traditional detection methods rely on analyzing sender domains, scanning attachments for malware, and flagging links to known malicious sites. However, in these attacks, the emails originate from trusted platforms, meaning the sender's address appears authentic and does not raise immediate red flags.

The attacks also move the phishing engagement outside of the email environment entirely, redirecting victims to cloud-hosted files before ultimately leading them to a credential theft page. This makes detection and prevention significantly more challenging. Moreover, since the malicious links are embedded within shared documents rather than the email body, security tools that rely on inline URL scanning fail to detect the threat at the time of delivery.

To further evade detection, the attackers incorporated Cloudflare Turnstile bot detection tests. Since these tests block URL crawlers from reaching and analyzing the final destination of a malicious link, security solutions are left blind to the attack.

As a result, organizations relying on rule-based security measures remain highly vulnerable to these sophisticated phishing techniques.

Phishing attacks continue to evolve, and design and diagramming tools are the latest battleground. To mitigate risk, organizations must implement a multi-layered security strategy.

Security awareness training is the first line of defense against these attacks. Employees should be educated on how cybercriminals exploit well-known platforms to distribute phishing links and should understand the importance of scrutinizing file-sharing requests—especially those from unexpected sources. They should be instructed to verify the legitimacy of shared documents before engaging with them and be cautious of any messages urging immediate action.

Organizations should also consider adopting a zero-trust security model, which assumes that no request—whether internal or external—should be trusted by default. By continuously verifying user identities and enforcing strict access controls, zero trust ensures that login attempts from unexpected sources or devices trigger additional authentication checks. This approach prevents attackers from easily accessing critical systems, even if they obtain valid credentials through a phishing attack.

Finally, leveraging behavioral AI for threat detection provides the most advanced level of defense against these evolving threats. Unlike traditional rule-based security solutions, AI-driven platforms analyze historical communication patterns and user behavior to detect anomalies. By identifying deviations from normal activity—such as an employee receiving an unexpected file-sharing request from a new sender—behavioral AI can flag and block potential threats before users interact with them. This proactive approach enhances email security by detecting and stopping phishing attempts that would otherwise bypass traditional defenses.

Phishing attacks leveraging design and diagramming tools represent a new frontier in email threats. By embedding phishing links within well-known platforms, attackers effectively disguise their intent, bypassing traditional security solutions and deceiving even the most vigilant users.

Defending against these threats requires a proactive, multi-layered security strategy. By combining education with AI-driven analysis, businesses can mitigate the risks posed by these increasingly deceptive phishing attacks.

For even more insights into the threat landscape and predictions for where it’s headed, download our report, Inbox Under Siege: 5 Email Attacks You Need to Know for 2025.