Figma abuse from compromised vendor used in credential theft attack

Sublime's Attack Spotlight series highlights the evolving threat landscape of email attacks, focusing on real-world examples, adversary tactics, and detection methods, with an emphasis on credential phishing attacks leveraging Living Off Trusted Service (LOTS) techniques. Recent attacks have utilized design tools like Figma and Canva, capitalizing on their trusted status in business environments to bypass link scanning and deliver multistage phishing payloads. A specific incident involved a compromised vendor email account sending a message with a Figma file link, which directed targets to a fake Microsoft login page to steal credentials. Sublime's AI-powered detection engine, including the Autonomous Security Analyst (ASA), successfully identified and prevented this attack using signals like self-sender patterns, references to multiple sharing platforms, and suspicious subject lines. The series underscores the importance of adaptive email security platforms that employ AI and machine learning to detect subtle discrepancies in order to mitigate these increasingly popular LOTS attacks.