This detection rule identifies suspicious links embedded within Canva designs that may lead to credential harvesting sites. It uses a combination of HTML analysis, URL examination, and natural language understanding techniques to scrutinize the embedded scripts in documents for any links that aren't from reputable sources. Specifically, it checks if links originate from canva.com and whether their paths start with '/design/'. The rule further filters out known benign domains like 'canva.com' and 'sentry.io', and classifies suspicious URLs based on various indicators such as their top-level domains and whether natural language processing flags them as related to credential theft. If the conditions are met, the rule will generate an alert indicating a high-severity potential phishing attempt.