New PayPal Phishing Scam Exploits MS365 Tools and Genuine-Looking Emails

****SUMMARY****

• Phishing Scam Targets PayPal: Scammers exploit PayPal’s system to link victim accounts to unauthorized addresses.

• Legitimate-Looking Emails: The scam uses real-looking emails and valid PayPal login pages to deceive users.

• Microsoft365 Exploit: Attackers use MS365 domains to send PayPal money requests, bypassing phishing filters.

• Account Takeover: Victims unknowingly link their PayPal accounts to the scammer, risking financial loss.

• Stay Safe: Avoid unsolicited emails, verify URLs, and enable 2FA to protect your PayPal account.

Fortinet’s FortiGuard Labs has identified a sophisticated PayPal phishing scam targeting unsuspecting users by exploiting a loophole in the platform’s system. According to Fortinet’s CISO (Chief Information Security Officer) Carl Windsor, the scam leverages legitimate PayPal functionality to trick users into linking their accounts to unauthorized addresses, potentially granting attackers control over their finances.

The attack utilizes a seemingly legitimate email, often with a valid sender address and a genuine-looking URL. However, the true danger lies within the email’s content. It directs recipients to a legitimate PayPal login page, prompting them to log in to investigate a supposed payment request.

Screenshot of the actual phishing email (Via Fortinet’s FortiGuard Labs)

Further probing revealed that the scammer registered an MS365 test domain and created a Distribution List containing victim emails (Billingdepartments1gkjyryfjy876.onmicrosoft.com), then sent a legitimate PayPal money request to all recipients.

They added the list to the PayPal web portal and distributed it to targeted victims. The Microsoft365 SRS rewrite scheme rewrites the sender to pass the SPF/DKIM/DMARC check. It is worth noting that Microsoft365 SRS (Sender Rewriting Scheme) is a feature in Microsoft 365 that rewrites the sender address of an email message.

Once the victim logs in, the scammer’s account is linked to the victim’s account, allowing them to take control of the victim’s PayPal account, a trick that bypasses PayPal’s phishing check instructions.

“The beauty of this attack is that it doesn’t use traditional phishing methods. The email, the URLs, and everything else are perfectly valid. Instead, the best solution is the Human Firewall—someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look,” Windsor wrote in a blog post.

This new phishing scam highlights the importance of cybersecurity awareness. Users must be cautious of unsolicited emails, avoid clicking on links or attachments from unknown senders, hover over links to verify URLs, and never enter login credentials on websites unless certain of the authenticity. Enabling two-factor authentication (2FA) on PayPal accounts can further enhance security.

1. PayPal Notifies 35,000 Users of Data Breach
2. PayPal Users hit with “Suspicious Activity” Phishing Scam
3. Microsoft, PayPal, Facebook most targeted brands in phishing
4. World Bank SSL Certificate Hacked to Host PayPal Phishing Scam
5. DocuSign API Abused to Evade Spam Filters with Phishing Invoices