Skip to content

Add detection rule for Square QR code abuse#4539

Merged
peterdj45 merged 5 commits into
mainfrom
peter.new.service_abuse_square_qr_code
May 26, 2026
Merged

Add detection rule for Square QR code abuse#4539
peterdj45 merged 5 commits into
mainfrom
peter.new.service_abuse_square_qr_code

Conversation

@peterdj45
Copy link
Copy Markdown
Member

@peterdj45 peterdj45 commented May 26, 2026

@peterdj45
Add detection rule for Square QR code abuse
938c2f0 
This rule detects messages from Square's marketing domain that contain suspicious QR codes redirecting to non-legitimate domains.
@peterdj45 peterdj45 requested a review from a team May 26, 2026 18:19
@peterdj45 peterdj45 requested a review from a team as a code owner May 26, 2026 18:19
@peterdj45
Copy link
Copy Markdown
Member Author

peterdj45 commented May 26, 2026

hunts look good, active campaign observed across several environments.

multi-hunt results in ESC-14160

@peterdj45 peterdj45 added the review-needed Indicates that a PR is waiting for review label May 26, 2026
@peterdj45
Update description for Square QR code detection rule
1121d13 
Removed reference to 'legitimate Square domains' in the description.
github-actions Bot added a commit that referenced this pull request May 26, 2026
@github-actions
[Shared Samples] [PR #4539] added rule: PR# 4539 - Service abuse: Squ…
888d5b0 
…are marketing with suspicious QR code
@MSAdministrator
Copy link
Copy Markdown
Member

MSAdministrator commented May 26, 2026
edited
Loading

@peterdj45 the samples you provided don't match the current rule but the inclusion of the or .url.domain.root_domain == "image2url.com" seems to be the match needed

MSAdministrator
MSAdministrator reviewed May 26, 2026
View reviewed changes
Comment thread detection-rules/service_abuse_square_QR_code.yml Outdated
@github-actions github-actions Bot added the in-test-rules PR is in our testing suite to collect telemetry label May 26, 2026
github-actions Bot added a commit that referenced this pull request May 26, 2026
@github-actions
[Test Rules] [PR #4539] added rule: Service abuse: Square marketing w…
a1e3009 
…ith suspicious QR code
MSAdministrator
MSAdministrator approved these changes May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@MSAdministrator MSAdministrator left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

zoomequipd
zoomequipd requested changes May 26, 2026
View reviewed changes
Comment thread detection-rules/service_abuse_square_QR_code.yml Outdated
@peterdj45 peterdj45 requested a review from zoomequipd May 26, 2026 19:26
zoomequipd
zoomequipd requested changes May 26, 2026
View reviewed changes
Comment thread detection-rules/service_abuse_square_QR_code.yml
@peterdj45 @zoomequipd
Update detection-rules/service_abuse_square_QR_code.yml
1176670 
Co-authored-by: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
@peterdj45 peterdj45 added this pull request to the merge queue May 26, 2026
Merged via the queue into main with commit 55463e3 May 26, 2026
5 checks passed
@peterdj45 peterdj45 deleted the peter.new.service_abuse_square_qr_code branch May 26, 2026 19:48
github-actions Bot added a commit that referenced this pull request May 26, 2026
@github-actions
[Shared Samples] [PR #4539] Delete detection rule
ec6859d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoomequipd zoomequipd zoomequipd approved these changes

@MSAdministrator MSAdministrator MSAdministrator approved these changes

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry review-needed Indicates that a PR is waiting for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@peterdj45 @MSAdministrator @zoomequipd