Skip to content

Phishing attack targets PayPal users with authentic-looking emails

  • by
  • 4 min read

A recent phishing attack has exposed a sophisticated new tactic that bypasses security defences, targeting unsuspecting victims with seemingly legitimate PayPal payment requests. The scam uses valid email addresses and a legitimate PayPal link to lure victims into a trap where their accounts are hijacked.

By exploiting Microsoft’s Sender Rewrite Scheme (SRS) and manipulating email distribution lists, the attackers can sidestep common phishing detection methods, making this a perilous threat for individuals and organisations.

The phishing attack began with an email that appeared to be a legitimate PayPal payment request. At first glance, the email seemed genuine — the sender’s address was not spoofed, and the URL matched PayPal’s standard domain. However, the Chief Information Security Officer (CISO), who shared their experience, quickly realised something was amiss.

The recipient, a cybersecurity expert by profession, instantly questioned the validity of the email, as they do not use their corporate email address with PayPal. The ‘To’ field also listed a suspicious email address: Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com.

Phishing attempt by cyber crooks | Source: Fortinet

This wasn’t their PayPal account email, nor did it appear to be related to any legitimate PayPal service.

The crux of this attack lies in its execution. When the recipient clicked the link in the email, they were redirected to a genuine PayPal login page that displayed a payment request. The user might have been inclined to log in to check the request, but this would have been a grave mistake.

“A genuine email can’t still be a problem, can it? Well, here is the catch in this instance. When you click on the link, you are redirected to a PayPal login page showing a request for payment,” researchers report. “A panicked person may be tempted to log in with their account details, but this would be very dangerous.”

The scammer had set up the attack in such a way that the victim’s PayPal account was linked not to the legitimate recipient’s email address but rather to the fraudulent Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com.

Researchers found that this was no simple case of email spoofing. The scammer had cleverly registered a free Microsoft 365 test domain and set up a distribution list containing multiple victim email addresses. These victim accounts were then sent fake PayPal payment requests.

The attack leveraged Microsoft’s Sender Rewrite Scheme (SRS) feature, which rewrote the sender’s email address to look legitimate enough to bypass SPF, DKIM, and DMARC checks — traditional email authentication mechanisms that protect against phishing.

Distribution list by scammer. | Source: Fortinet

Once a victim logged in through the deceptive PayPal page, their account could be hijacked by linking it to the scammer’s distribution list. This allowed the attacker to take full control of the victim’s PayPal account, providing them with access to sensitive financial information and potentially leading to further exploits.

Unlike typical phishing attempts, where obvious red flags such as misspelt URLs or mismatched email addresses are easy to spot, this attack was subtler. The sender’s email address and the link to PayPal were valid, creating a situation where even experienced users might be deceived.

Researchers have emphasised that awareness training is crucial, especially in business environments where employees may be more likely to panic when confronted with an urgent payment request. Creating a ‘human firewall’ by ensuring workers are educated on how to spot phishing attempts is one of the most effective ways to mitigate the risks of these attacks.

Additionally, organisations can take steps to create rules for detecting distribution list-based attacks. For instance, implementing Data Loss Prevention (DLP) policies that search for suspicious email patterns — like distribution list involvement or unexpected sender domains — can help identify such threats early.

In the News: 920 Chrome extensions manipulate search results on Web Store

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>