The cybersecurity community often encounters sophisticated phishing attempts, but a new PayPal phishing tactic recently dissected by Carl Windsor, Chief Information Security Officer (CISO) at Fortinet, takes the game to another level. This attack bypasses traditional indicators of phishing, tricking even the vigilant.
In his report, Windsor describes receiving a payment request email that appeared legitimate. He remarked, “The sender address appears to be valid and not spoofed, and the URL looks genuine.” It looks authentic enough to fool even seasoned individuals, let alone the unsuspecting public.
The key mechanism of this phishing attempt? When users click on the link, they are redirected to a seemingly genuine PayPal login page. Upon logging in, the victim unknowingly links their account to the attacker’s account address, effectively handing over access to the attacker.
This scheme involves clever use of Microsoft365’s free trial domains and its Sender Rewrite Scheme (SRS). Windsor explains: “The scammer appears to have simply registered an MS365 test domain, which is free for three months, and then created a Distribution List (Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com) containing victim emails.”
This setup ensures that the phishing email passes all SPF/DKIM/DMARC checks, making it difficult for automated systems—or even PayPal’s own phishing detection protocols—to flag it.
Traditional anti-phishing tools fail against this innovative scheme. Windsor emphasizes the importance of human vigilance: “The beauty of this attack is that it doesn’t use traditional phishing methods. The email, the URLs, and everything else are perfectly valid.”
Organizations must prioritize education, ensuring their workforce is prepared for emerging threats. For more insights into this phishing scheme, visit Fortinet’s detailed breakdown of the attack here.
Related Posts:
- Seqrite Labs Uncovers New Cronus Ransomware Campaign Utilizing Fake PayPal Documents
- Phishing Scheme Nets Millions in Cryptocurrency, Five Charged
- Phishing Scam targets iOS user in India
