Signed” Sealed, Delivered: Cybercriminals Abuse PayPal and Apple to Bypass Email Security

Phishing attacks have evolved beyond poorly spelled emails and suspicious links. A new report by Kaseya (featuring data from INKY) reveals that cybercriminals are now weaponizing the very tools businesses trust the most. By abusing legitimate invoice and notification systems from giants like PayPal, Apple, and DocuSign, attackers are sending “perfect” emails that sail past security filters.

These attacks, known as DKIM Replay Attacks, exploit a fundamental trust in email authentication. Because the emails are technically sent by the vendors themselves, they pass standard checks like DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), leaving users and security gateways none the wiser.

The core of the attack is simple but effective. Attackers create a real invoice or dispute notification on a platform like PayPal. In the “seller note” or description fields, they insert their malicious payload—usually a fake customer support phone number and a sense of urgency.

“Attackers abuse this functionality by inserting scam instructions and a phone number into those user-controlled fields,” the report explains.

Instead of sending this invoice to a victim directly, the attacker sends it to themselves first. This generates a legitimate, cryptographically signed email from the vendor. The attacker then forwards this pristine email to their targets.

“Since the message originates directly from the vendor… and is cryptographically signed, it easily passes DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) checks,” Kaseya notes.

This technique works because of a gap in how email forwarding is handled. When an email is forwarded without modification, its cryptographic signature remains valid. To an email security gateway, the message looks like it came directly from PayPal or Apple, because, technically, the original content did.

“After receiving the legitimate email, the attacker simply forwards it on to their intended targets. The result is a message that looks authentic, passes email authentication and arrives in inboxes,” the report states.

While the email infrastructure validates the sender, the content itself is the trap. The report highlights a specific PayPal example where the “Seller note” contained a fraudulent warning: “If we do not hear from you within 24 hours, we will release this payment, and a refund will no longer be possible”.

To defend against this, Kaseya advises users and admins to look for subtle discrepancies.

• Check the “To” Header: “Verify whether the To: address in the message header matches the intended recipient,” the report advises. A mismatch often indicates the email was blind-carbon-copied (BCC’d) or forwarded.
• Ignore the Phone Numbers: Legitimate companies rarely ask you to call a support number found in an invoice note. “Users should avoid calling any numbers included in unexpected emails, especially those claiming urgent account or payment issues”.

Related Posts:

• Google Spoofed in Sophisticated DKIM Replay Attack Exploiting Email Trust Mechanisms
• Critical Vulnerability in Hosted Email Services Exposes Users to Spoofing Attacks
• North Korean APT Group Kimsuky Exploits DMARC Misconfigurations for Sophisticated Phishing Attacks
• New PayPal Scam Tricks Users with Convincing Ads and Pages
• Microsoft Warns of Surge in Internal Domain Spoofing