A recent investigation by cybersecurity firm Fortinet has uncovered a sophisticated phishing scheme targeting PayPal users. This campaign leverages genuine PayPal links to deceive recipients, ultimately allowing cybercriminals to gain unauthorized access to users' accounts.

The Phishing Tactic

The phishing operation involves emails that closely emulate authentic PayPal notifications. These messages often include transaction details, warnings, and utilize a legitimate PayPal email address and URL to evade security systems. When victims click on the link in the email, they are taken to a real PayPal login page where they see a payment request. If users, in a state of panic, input their login data, their PayPal account becomes associated with a fraudulent email address used by the attackers, enabling a security breach. A report from Fortinet describes the scenario: "A panicked person may be tempted to log in with their account details, but this would be very dangerous. It links your PayPal account address with the address it was sent to—not where you received it."

Behind the Scenes

The scammers reportedly registered a free Microsoft 365 test domain, valid for three months, and configured a distribution list containing the victims' email addresses. This list, appearing as Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com, is then used to initiate money requests via the PayPal portal. The distribution of these requests is further facilitated by Microsoft365's Sender Rewrite Scheme (SRS), which adjusts the sender address to circumvent SPF/DKIM/DMARC checks. This method enables threat actors to stealthily link their account to a victim's PayPal account by manipulating the initially legitimate request process.

Defense Against the Attack

Despite using legitimate web addresses and sender credentials, the scam underscores the importance of vigilant email practices. Users should remain wary of unsolicited emails and the legitimate appearances they may portray. Fortinet highlights the crucial role of awareness in preventing such attacks: "This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves—and your organization—safe."

The link has been copied!