Phishing Campaign Abuses Legitimate Services to Send PayPal Requests

Phishing Kit Imitates PayPal A phishing campaign is abusing Microsoft 365 test domains to send legitimate payment requests from PayPal, according to Fortinet’s CISO Dr. Carl Windsor.

Windsor found that the threat actor registered a free MS365 test domain and used it to create a distribution list containing targets’ email addresses. The scammer then used this distribution list to send payment requests via PayPal’s web portal.

“When you click on the link, you are redirected to a PayPal login page showing a request for payment,” Windsor writes. “A panicked person may be tempted to log in with their account details, but this would be very dangerous. It links your PayPal account address with the address it was sent to—not where you received it.”

If a victim uses this portal to log into their PayPal account, their account will be linked to the scammer’s PayPal account.

“This money request is then distributed to the targeted victims, and the Microsoft365 SRS (Sender Rewrite Scheme) rewrites the sender to, e.g., bounces+SRS=onDJv=S6[@]5ln7g7[.]onmicrosoft[.]com, which will pass the SPF/DKIM/DMARC check,” Windsor explains.

“Once the panicking victim logs in to see what is going on, the scammer’s account gets linked to the victim’s account. The scammer can then take control of the victim's PayPal account—a neat trick. It’s so neat, in fact, that it would sneak past even PayPal’s own phishing check instructions.”

This phishing attack is notable because it abused legitimate services at every step, increasing the likelihood that the messages would bypass security filters and fool untrained users.

Windsor concludes, “The beauty of this attack is that it doesn’t use traditional phishing methods. The email, the URLs, and everything else are perfectly valid. Instead, the best solution is the Human Firewall—someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look. This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves—and your organization—safe.”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Fortinet has the story.

Will your users respond to phishing emails?

KnowBe4's Phishing Reply Test (PRT) is a complimentary IT security tool that makes it easy for you to check to see if key users in your organization will reply to a highly targeted phishing attack without clicking on a link. PRT will give you quick insights into how many users will take the bait so you can take action to train your users and better protect your organization from these fraudulent attacks!

Here's how it works: