From 938c2f0d6991458863ad50434ed21c7d7c1d38f7 Mon Sep 17 00:00:00 2001 From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com> Date: Tue, 26 May 2026 11:16:34 -0700 Subject: [PATCH 1/5] Add detection rule for Square QR code abuse This rule detects messages from Square's marketing domain that contain suspicious QR codes redirecting to non-legitimate domains. --- .../service_abuse_square_QR_code.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 detection-rules/service_abuse_square_QR_code.yml diff --git a/detection-rules/service_abuse_square_QR_code.yml b/detection-rules/service_abuse_square_QR_code.yml new file mode 100644 index 00000000000..a1840f0e621 --- /dev/null +++ b/detection-rules/service_abuse_square_QR_code.yml @@ -0,0 +1,26 @@ +name: "Service abuse: Square marketing with suspicious QR code" +description: "Detects messages from Square's marketing domain containing QR codes that redirect to self-service creation platforms, file sharing services, or image hosting services rather than legitimate Square domains." +type: "rule" +severity: "high" +source: | + type.inbound + and sender.email.domain.domain == "squaremktg.com" + and beta.scan_qr(file.message_screenshot()).found + and any(filter(beta.scan_qr(file.message_screenshot()).items, + // ignore square's own free website hosting service + .url.domain.root_domain != "square.site" + ), + .url.domain.root_domain in $self_service_creation_platform_domains + or .url.domain.root_domain in $free_file_hosts + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "QR code" + - "Free file host" +detection_methods: + - "Computer Vision" + - "QR code analysis" + - "Sender analysis" + - "URL analysis" From f0ba31266b1178c33b4a24643ae8a0c0b12eaf01 Mon Sep 17 00:00:00 2001 From: CI Bot Date: Tue, 26 May 2026 18:20:52 +0000 Subject: [PATCH 2/5] Auto-format MQL and add rule IDs --- detection-rules/service_abuse_square_QR_code.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/service_abuse_square_QR_code.yml b/detection-rules/service_abuse_square_QR_code.yml index a1840f0e621..eb6b59bf034 100644 --- a/detection-rules/service_abuse_square_QR_code.yml +++ b/detection-rules/service_abuse_square_QR_code.yml @@ -24,3 +24,4 @@ detection_methods: - "QR code analysis" - "Sender analysis" - "URL analysis" +id: "079c81ff-45f6-5460-8dc5-f00dcfcdd57a" From 1121d138811ba76cd0c4a19005a855745fa7da6b Mon Sep 17 00:00:00 2001 From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com> Date: Tue, 26 May 2026 11:29:17 -0700 Subject: [PATCH 3/5] Update description for Square QR code detection rule Removed reference to 'legitimate Square domains' in the description. --- detection-rules/service_abuse_square_QR_code.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/service_abuse_square_QR_code.yml b/detection-rules/service_abuse_square_QR_code.yml index eb6b59bf034..66cef193fb8 100644 --- a/detection-rules/service_abuse_square_QR_code.yml +++ b/detection-rules/service_abuse_square_QR_code.yml @@ -1,5 +1,5 @@ name: "Service abuse: Square marketing with suspicious QR code" -description: "Detects messages from Square's marketing domain containing QR codes that redirect to self-service creation platforms, file sharing services, or image hosting services rather than legitimate Square domains." +description: "Detects messages from Square's marketing domain containing QR codes that redirect to self-service creation platforms, file sharing services, or image hosting services." type: "rule" severity: "high" source: | From 0877154cedcbb4b560435de4d388c6d49d6bd1ed Mon Sep 17 00:00:00 2001 From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com> Date: Tue, 26 May 2026 12:25:51 -0700 Subject: [PATCH 4/5] add checks for subdomains --- detection-rules/service_abuse_square_QR_code.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/detection-rules/service_abuse_square_QR_code.yml b/detection-rules/service_abuse_square_QR_code.yml index 66cef193fb8..34d37afc712 100644 --- a/detection-rules/service_abuse_square_QR_code.yml +++ b/detection-rules/service_abuse_square_QR_code.yml @@ -10,8 +10,14 @@ source: | // ignore square's own free website hosting service .url.domain.root_domain != "square.site" ), - .url.domain.root_domain in $self_service_creation_platform_domains - or .url.domain.root_domain in $free_file_hosts + ( + .url.domain.root_domain in $self_service_creation_platform_domains + or .url.domain.domain in $self_service_creation_platform_domains + ) + or ( + .url.domain.root_domain in $free_file_hosts + or .url.domain.domain in $free_file_hosts + ) ) attack_types: From 117667079a8d7cbd2a1c99cb8cb0e894a0582c8c Mon Sep 17 00:00:00 2001 From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com> Date: Tue, 26 May 2026 12:37:06 -0700 Subject: [PATCH 5/5] Update detection-rules/service_abuse_square_QR_code.yml Co-authored-by: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> --- detection-rules/service_abuse_square_QR_code.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/detection-rules/service_abuse_square_QR_code.yml b/detection-rules/service_abuse_square_QR_code.yml index 34d37afc712..4bc78a266c9 100644 --- a/detection-rules/service_abuse_square_QR_code.yml +++ b/detection-rules/service_abuse_square_QR_code.yml @@ -6,6 +6,10 @@ source: | type.inbound and sender.email.domain.domain == "squaremktg.com" and beta.scan_qr(file.message_screenshot()).found + // + // This rule makes use of a beta feature and is subject to change without notice + // using the beta feature in custom rules is not suggested until it has been formally released + // and any(filter(beta.scan_qr(file.message_screenshot()).items, // ignore square's own free website hosting service .url.domain.root_domain != "square.site"