The rule 'Canva Infrastructure Abuse' detects fraudulent invoice or receipt messages leveraging Canva's design sharing feature. The rule specifies that the detection must occur within emails possessing a single attachment, incoming from a sender with the domain 'canva.com'. It examines the email body for specific phrases indicative of scams, such as mentions of phone numbers formatted in common patterns and warning messages to recipients about unauthorized transactions. Additionally, to trigger the rule, the content must include at least four indicators from a defined list, which contains terms associated with fraud alerts, subscriptions, and unusual activities. The rule employs a variety of regex and natural language understanding techniques to identify these patterns, ensuring comprehensive coverage of potential phishing attempts related to Canva's services.