← Back to Explore
sublimemediumRule
Link: Squarespace infrastructure abuse
Detects inbound messages containing exactly one Squarespace tracking link but lacking authentic Squarespace email headers and sender patterns.
Detection Query
type.inbound
and any(body.links, .href_url.domain.domain == "engage.squarespace-mail.com")
and length(body.links) < 10
// there is one unique Squarespace Link in the message
and length(distinct(filter(body.links,
.href_url.domain.domain == "engage.squarespace-mail.com"
),
.href_url.url
)
) == 1
and not headers.return_path.domain.root_domain == "squarespace-mail.com"
and not any(headers.domains, .root_domain == "squarespace-mail.com")
and profile.by_sender_email().prevalence != "common"
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Squarespace infrastructure abuse"
description: "Detects inbound messages containing exactly one Squarespace tracking link but lacking authentic Squarespace email headers and sender patterns."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(body.links, .href_url.domain.domain == "engage.squarespace-mail.com")
and length(body.links) < 10
// there is one unique Squarespace Link in the message
and length(distinct(filter(body.links,
.href_url.domain.domain == "engage.squarespace-mail.com"
),
.href_url.url
)
) == 1
and not headers.return_path.domain.root_domain == "squarespace-mail.com"
and not any(headers.domains, .root_domain == "squarespace-mail.com")
and profile.by_sender_email().prevalence != "common"
attack_types:
- "Credential Phishing"
- "Spam"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Header analysis"
- "URL analysis"
- "Sender analysis"
id: "a8fe9d30-e64e-50e8-95d8-720e90676409"