High Severity

Service abuse: Square marketing with suspicious QR code

Labels

Credential Phishing

QR code

Description

Detects messages from Square's marketing domain containing QR codes that redirect to self-service creation platforms, file sharing services, or image hosting services.

References

No references.

Sublime Security

Created May 26th, 2026 • Last updated May 26th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and sender.email.domain.domain == "squaremktg.com"
and beta.scan_qr(file.message_screenshot()).found
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and any(filter(beta.scan_qr(file.message_screenshot()).items,
               // ignore square's own free website hosting service
               .url.domain.root_domain != "square.site"
        ),
        (
          .url.domain.root_domain in $self_service_creation_platform_domains
          or .url.domain.domain in $self_service_creation_platform_domains
        )
        or (
          .url.domain.root_domain in $free_file_hosts
          or .url.domain.domain in $free_file_hosts
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.