Link: Squarespace Infrastructure Abuse

calendar Apr 1, 2025  ยท
Share on: linkedin copy

Detects inbound messages containing exactly one Squarespace tracking link but lacking authentic Squarespace email headers and sender patterns.

Sublime rule (View on GitHub)

 1name: "Link: Squarespace Infrastructure Abuse"
 2description: "Detects inbound messages containing exactly one Squarespace tracking link but lacking authentic Squarespace email headers and sender patterns."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links, .href_url.domain.domain == "engage.squarespace-mail.com")
 8  and length(body.links) < 10
 9  // there is one unique Squarespace Link in the message
10  and length(distinct(filter(body.links,
11                             .href_url.domain.domain == "engage.squarespace-mail.com"
12                      ),
13                      .href_url.url
14             )
15  ) == 1
16  and not headers.return_path.domain.root_domain == "squarespace-mail.com"
17  and not any(headers.domains, .root_domain == "squarespace-mail.com")
18  and profile.by_sender_email().prevalence != "common"  
19
20attack_types:
21  - "Credential Phishing"
22  - "Spam"
23tactics_and_techniques:
24  - "Impersonation: Brand"
25  - "Social engineering"
26detection_methods:
27  - "Header analysis"
28  - "URL analysis"
29  - "Sender analysis"
30id: "a8fe9d30-e64e-50e8-95d8-720e90676409"
to-top