Summary:
A new phishing technique exploiting PayPal’s money request feature has been identified in a recent advisory by Fortinet. This method uses legitimate-looking PayPal payment requests to deceive recipients, making them appear genuine and bypassing traditional email security checks. The attack begins with scammers registering free Microsoft 365 test domains and creating distribution lists containing targeted email addresses. These lists are then used as recipients for PayPal’s money request feature. Microsoft’s Sender Rewrite Scheme (SRS) modifies the sender address, allowing the email to pass authentication protocols such as SPF, DKIM, and DMARC. Combined with PayPal’s legitimate interface, the email, sender address, and URL appear authentic, making it difficult for recipients to distinguish the phishing attempt from a genuine request. If a victim logs into their PayPal account through the phishing link, the scammer gains access by linking their email address to the victim’s account.


Security Officer Comments:
According to Elad Luz, head of research at Oasis Security, this technique deviates from traditional phishing methods that require crafting fraudulent emails. Instead, attackers exploit PayPal’s built-in features, sending messages from verified sources that closely mimic legitimate requests. This makes it difficult for email providers to identify the fraudulent nature of the messages, placing the responsibility on PayPal to mitigate such attacks. Stephen Kowski, field CTO at SlashNext, emphasized the importance of advanced detection mechanisms, such as neural networks and behavioral analysis, to identify unusual messaging patterns or requests that evade basic filters.

Suggested Corrections:
The beauty of this attack is that it doesn’t use traditional phishing methods. The email, the URLs, and everything else are perfectly valid. Instead, the best solution is the Human Firewall—someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look. This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves—and your organization—safe.

Link(s):
https://www.fortinet.com/blog/threat-research/phish-free-paypal-phishing

https://www.infosecurity-magazine.com/news/scammers-exploit-microsoft365/