Technical summary: This rule detects brand impersonation phishing embedded in Figma design shares. It targets inbound email that appears to come from Figma (no-reply email address) and uses a subject pattern related to proposals. The detection logic requires exactly one Figma thumbnail image in the HTML body (src contains the Figma thumbnail CDN URL), and active OCR of the message screenshot to yield the text 'access document'. The malicious content is rendered in the Figma-hosted thumbnail image to resemble legitimate brand communications and bypass standard sender-reputation checks. If all conditions are met, the rule flags credential phishing via brand impersonation. The rule combines sender analysis, HTML analysis, URL screenshot, OCR, and URL analysis. It relies on a beta OCR feature and is subject to change. Attack vector involves branding impersonation, social engineering, and image-as-content delivered through a legitimate design-sharing channel to deceive recipients.