Phishing Campaign Abuses Legitimate Services to Send PayPal Requests

A phishing campaign is abusing Microsoft 365 test domains to send legitimate payment requests from PayPal, according to Fortinet’s CISO Dr. Carl Windsor.

Windsor found that the threat actor registered a free MS365 test domain and used it to create a distribution list containing targets’ email addresses. The scammer then used this distribution list to send payment requests via PayPal’s web portal.

“When you click on the link, you are redirected to a PayPal login page showing a request for payment,” Windsor writes. “A panicked person may be tempted to log in with their account details, but this would be very dangerous. It links your PayPal account address with the address it was sent to—not where you received it.”

If a victim uses this portal to log into their PayPal account, their account will be linked to the scammer’s PayPal account.

“This money request is then distributed to the targeted victims, and the Microsoft365 SRS (Sender Rewrite Scheme) rewrites the sender to, e.g., bounces+SRS=onDJv=S6[@]5ln7g7[.]onmicrosoft[.]com, which will pass the SPF/DKIM/DMARC check,” Windsor explains.

“Once the panicking victim logs in to see what is going on, the scammer’s account gets linked to the victim’s account. The scammer can then take control of the victim’s PayPal account—a neat trick. It’s so neat, in fact, that it would sneak past even PayPal’s own phishing check instructions.”

This phishing attack is notable because it abused legitimate services at every step, increasing the likelihood that the messages would bypass security filters and fool untrained users.

Windsor concludes, “The beauty of this attack is that it doesn’t use traditional phishing methods. The email, the URLs, and everything else are perfectly valid. Instead, the best solution is the Human Firewall—someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look. This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves—and your organization—safe.”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Fortinet has the story.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!