Service abuse: Square marketing with suspicious QR code

calendar May 26, 2026  ·
Share on: linkedin copy

Detects messages from Square's marketing domain containing QR codes that redirect to self-service creation platforms, file sharing services, or image hosting services.

Sublime rule (View on GitHub)

 1name: "Service abuse: Square marketing with suspicious QR code"
 2description: "Detects messages from Square's marketing domain containing QR codes that redirect to self-service creation platforms, file sharing services, or image hosting services."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and sender.email.domain.domain == "squaremktg.com"
 8  and beta.scan_qr(file.message_screenshot()).found
 9  //
10  // This rule makes use of a beta feature and is subject to change without notice
11  // using the beta feature in custom rules is not suggested until it has been formally released
12  //
13  and any(filter(beta.scan_qr(file.message_screenshot()).items,
14                 // ignore square's own free website hosting service
15                 .url.domain.root_domain != "square.site"
16          ),
17          (
18            .url.domain.root_domain in $self_service_creation_platform_domains
19            or .url.domain.domain in $self_service_creation_platform_domains
20          )
21          or (
22            .url.domain.root_domain in $free_file_hosts
23            or .url.domain.domain in $free_file_hosts
24          )
25  )  
26
27attack_types:
28  - "Credential Phishing"
29tactics_and_techniques:
30  - "QR code"
31  - "Free file host"
32detection_methods:
33  - "Computer Vision"
34  - "QR code analysis"
35  - "Sender analysis"
36  - "URL analysis"
37id: "079c81ff-45f6-5460-8dc5-f00dcfcdd57a"
to-top