In this attack, an employee was targeted with an email supposedly from Square indicating they had received a $950 award for their previous month’s sales. The email was sent from an account with username referencing Square and the display name of the sender was also modified to look like it was coming directly from Square. To hide the addresses of everyone receiving the email, the attacker BCC'd all of the recipients, so they couldn’t be seen. 

Status Bar Dots
Square Phishing Email

Had the recipient clicked on the link in the email, they would have been directed to a phishing page that mimicked the Square login page, which was hosted on a compromised domain.

Status Bar Dots
Square Phishing Page

Why It Bypassed Traditional Security

The URL found in the email is one that has not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. The email address used by the attacker to send the message had not been previously identified as malicious.

Detecting the Attack

A behavioral system is required to stop attacks that use never-before-seen URLs. By understanding the intent of the link, alongside other signals acquired through content analysis, a cloud email security platform understands when an email may be malicious. All of the recipients receiving the email were BCC’d, a common pattern when attackers send similar attacks to many recipients. 

Risk to Organization

If an employee entered credentials into the phishing page, attackers would have full access to their Square account, which could allow them to modify bank details linked to the account that would allow them to divert funds from legitimate transactions. If the Square account is also linked to a company bank account, then the targeted company could be directly impacted as well.

Analysis Overview




Credential Theft


BCC Recipient List


Employee Incentive

Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo