Canva Turns into a Hacker’s Playground — Phishing with a Design Tool?!

Lazy? – What Even Is This?

Hackers are now abusing Canva (yep, the thing you use to make birthday invites and Instagram quotes) as a phishing delivery system. Instead of sketchy links from haxx0r.biz, victims get clean-looking canva.com or canva.site pages. Trust + Canva = instant click bait.

Target audience: Security leaders, SOC teams, email/web admins, awareness trainers, and literally any org that uses Canva with Google/Microsoft accounts.

How the Scam Works (Step by Step Horror Show)

• Step 1 – Canva Website Abuse
  Attackers publish a fake Canva “website” that looks like an invoice, hosted on a perfectly trusted Canva domain. Security filters? Passed.

• Step 2 – The Trap
  Victim clicks → sees a fake reCAPTCHA. Solve the “I’m not a robot” puzzle, and instead of cat pictures…
  → window.location.replace() teleports you to a shady attacker server.

• Step 3 – Browser-in-the-Browser Magic
  You get a Google OAuth login clone so realistic it would fool your grandma. Enter creds + OTP → boom, stolen. Some runs even drop .hta malware like Cobalt Strike for extra pain.

Why It’s Extra Dangerous

• Clean Until Click-Time – scanners say “all good” until the redirect actually fires.
• Brand Trust – Canva link = “looks safe,” bypasses reputation checks.
• MFA Bypass – real-time reverse-proxying steals your one-time codes too.
• Cloudflare Armor – attacker domains hide behind Cloudflare + random gibberish URLs.
• Whack-a-Mole – remove one Canva link, hackers spawn ten more instantly.

Final Thought

Hackers using Canva to phish you is like being mugged by the same guy who designed your wedding invitation. It’s clean, it’s sneaky, and it’s scary effective.

Moral of the story: don’t blindly trust “canva.com” links in your inbox. If your job title includes the word security (or you just hate giving hackers free creds), spread the word and lock it down.

Source: Keepnet Labs – How Hackers Abuse Canva to Distribute Phishing Attacks