The email arrived at 3:59 PM on a Wednesday in late October, and nothing about it looked wrong.
Subject: "A design has been shared with you!" From: "Michele Law (Canva)" at no-reply@canva.com. A clean Canva notification with one button: "Open in Canva." A brief personal-sounding note in the body: "Here is the GLP-1 Primer Juice recipe card."
A recipe card. Shared via Canva. From someone named Michele.
The Microsoft safety banner said: "You don't often get email from no-reply@canva.com." That was the only visible signal anything was off. The authentication layer said the opposite.
SPF: pass. DKIM: pass (signed by canva.com). DKIM: pass again (signed by amazonses.com). DMARC: pass. Composite auth: pass, reason 100. The email came from Amazon SES IP 54.240.76.85, a legitimate Canva sending address, relayed through Canva's own infrastructure. Every layer of email authentication confirmed the message was exactly what it claimed to be.
The only dissent: a single header field, SFTY:9.25, buried in the X-Forefront-Antispam-Report. Microsoft's quiet way of saying something felt wrong even if the rule engine couldn't name it.
From the recipient's perspective, the scenario was entirely plausible. Someone at a company they might do business with uses Canva, made a recipe card, and sent it along. This is a thing people do.
The branding was real Canva styling, built by Canva's own template system. The footer included Canva's actual Australian business address, their ABN, and a working unsubscribe link. Canva built the notification, signed it, and delivered it through their own infrastructure. One click would have landed the recipient on a real canva.com page with a real access token.
That's the point. When attackers use legitimate platforms, they get the platform's authentication and visual credibility. The phishing payload doesn't need to live on a suspicious domain when it can live on canva.com.
See how many phishing emails are getting through your filters.
Every link ran through trail.canva.com before resolving to its final destination:
`` hxxps://trail[.]canva[.]com/CL0/hxxps:/www[.]canva[.]com/design/DAG3Lwj7Yzs/share?accessToken=iu6fzZdCmZNemaIfjwCErQ&invite=c8iO_81MVF6w1DDKpvN8cw ``
This is Canva's click-tracking mechanism, used in every share notification Canva sends. It encodes the destination URL and routes through trail.canva.com before forwarding the browser. From a link-scanning perspective, the wrapper resolves cleanly to a canva.com design page. Nothing in the redirect chain touches an attacker-owned domain.
That's what makes the technique effective. Whatever spear-phishing payload was staged inside the canvas sits one step past what automated scanners evaluate. The scanner sees canva.com, reports clean, and stops. It isn't wrong. It just isn't looking at what loads after the redirect resolves.
Here's what the authentication headers couldn't see: this same campaign kept showing up.
The initial email hit a recipient at an accounting firm in late October 2025. IRONSCALES flagged it, auto-resolved it as phishing, and quarantined it. The confidence score was 68%, enough for automated action. Themis labeled it a vendor scam: first-time sender, multiple affected mailboxes, a legitimate platform as the delivery vehicle, and a CTA pointing into content that couldn't be pre-evaluated.
Then the campaign came back.
February 2026: same template, different mailbox. Quarantined. March 11: another hit. Quarantined. March 18: another. Quarantined. April 1: still running. Quarantined again.
Five months. The same lure, the same design ID, cycling through new recipients who hadn't seen it before. The attacker never changed the template or rotated the subject line. They didn't need to, because each new target was encountering it for the first time.
This is the persistence pattern that point-in-time scanning can't stop. A gateway that clears an email on arrival based on authentication has no mechanism to revisit that judgment when the same campaign resurfaces weeks later across different mailboxes.
The Canva design was live and accessible with the embedded access token. Whatever the attacker staged inside (a redirect, a fake login prompt, a credential form) was one click away from someone who trusted the wrapper.
The recipe card framing deserves credit for its plausibility. GLP-1 weight loss content is genuinely popular. A Canva-shared recipe card doesn't register as a corporate threat. It registers as a harmless personal share that ended up in a work inbox. The social engineering isn't technically sophisticated. It's just believable.
The target context adds weight: an accounting firm handling financial data for other businesses is a meaningful foothold. An innocuous-looking Canva share is a reasonable first move toward something more valuable.
Email authentication (SPF, DKIM, DMARC) was designed to solve a specific problem: forged sender domains. It solves that problem well. What it doesn't solve is what happens when the email is genuinely from the domain it claims, and that domain is being used to deliver a threat.
According to the Verizon Data Breach Investigations Report, phishing remains the top initial access vector for breaches. The most effective campaigns increasingly don't need to spoof anything. They use real platforms with real authentication. Canva. Google Docs. Dropbox. SharePoint. CISA has flagged this pattern directly: legitimate cloud services abused for phishing delivery specifically because they clear reputation and authentication filters.
A few things worth checking:
Don't blanket allow-list SaaS senders. Auto-approving anything from canva.com or google.com based on authentication alone creates a bypass. Those platforms get abused.
Understand what "clean" means in your link scanner. If the scanner stops at the first resolved domain, trail.canva.com returns clean every time. A scan that follows redirect chains to evaluate final landing page behavior catches more.
Correlate across mailboxes. One Canva share notification is ambiguous. Five hitting different employees over five months, all with the same design ID, is a campaign. Per-message analysis misses that entirely.
Weight first-time sender signals against context. no-reply@canva.com is legitimate globally. But a first-time sender to your specific org, sharing a design with no business context, is a different risk profile than a known contact.
The authentication layer passed this email because it was supposed to. The question isn't whether authentication worked. It's whether your stack has anything left to evaluate once authentication says yes.
---
Indicators of Compromise
| Type | Value |
|---|---|
| Sender domain | canva[.]com |
| Sending infrastructure | 54[.]240[.]76[.]85 (Amazon SES) |
| Tracking redirect domain | trail[.]canva[.]com |
| Design ID (lure) | DAG3Lwj7Yzs |
| Subject line | A design has been shared with you! |
| Lure description | "GLP-1 Primer Juice recipe card" |
| Microsoft safety flag | SFTY:9.25 |