PayPal users are currently experiencing a new and highly deceptive cyberattack that has prompted serious concerns about internet security. This clever strategy, known as a no-phish phishing attack, effectively bypasses standard phishing detection systems, placing users in a major risk.
The attack uses authentic links and emails that closely match official PayPal communications. To scam recipients into thinking they are legitimate, these phishing emails contain payment information, warning emails, a legitimate PayPal sender address, and URLs that appear trustworthy.
According to Elad Luz, head of research at non-human identity management company Oasis Security:
The emails are sent from a verified source and follow an identical template to legitimate messages, such as a standard PayPal payment request. This makes them difficult for mailbox providers to distinguish from genuine communications.
Advanced PayPal Phishing Attacks Take Advantage of Authentic Features
This exploit is unique in that it makes use of official Microsoft 365 services. Cybercriminals use these tools to set up a test domain and an email distribution list. This method makes the fake communications appear to have been delivered directly by PayPal, adding authenticity to the scam.
Attackers trick victims into logging in to their PayPal accounts to make a payment. However, this login process grants cybercriminals access to the victim’s account, allowing them to take control of it.
This strategy is more difficult to identify because it integrates in seamlessly with regular PayPal operations. Payment requests from hacked Microsoft 365 test domains appear authentic to victims. These requests often appear authentic, leading users to ignore minor warning signs like incorrect “to” email addresses.
The attackers take advantage of PayPal’s pattern to associate the payment request with the account from which it originated rather than the email address where it was received. It is easy to overlook this aspect, particularly if the sender created a distribution list with target emails using a free Microsoft 365 test domain.
In a case study, a payment request for $2,185.96 was received, which was large enough to be profitable at scale but small enough not to arouse suspicion among corporate users. Unless recipients carefully check the “to” address box, they may not recognise the fraud, showing the complexity of this phishing approach.
This caused PayPal’s system to send the targeted victims money requests. Microsoft 365’s Sender Rewrite Scheme (SRS) prevented the emails from being reported as malicious by rewriting the sender address to pass SPF, DKIM, and DMARC authentication tests.
The scammer’s email address, Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com, is connected to the victim’s PayPal account when they log in to investigate. This gives the scammer complete control over the victim’s account, which is a clever and deceptive strategy. It is surprisingly advanced enough to bypass PayPal’s own phishing detection systems.
PayPal responded to the growing threat of phishing quickly. In addition to encouraging better login credentials, the company also changed passwords for impacted individuals.
A PayPal spokesperson affirmed the company’s commitment to user security, stating they promptly blocked unauthorised access. They also advised customers to enable two-factor authentication and exercise caution with payment requests.
The phishing attacks against PayPal show the increasing expertise of cybercriminals. . It is becoming more difficult to identify these frauds since they take advantage of trustworthy aspects of secure sites.
Experts underline how important it is for companies and people to work together to counter these risks. Users should take proactive measures to secure their accounts, while businesses must strike a balance between transaction security and consumer convenience. PayPal advises users to avoid responding to suspicious invoices or payment requests and to report such incidents to their security team.
Phishing attacks are growing more prevalent and advanced. Criminals are leveraging advanced technologies, including AI, to develop convincing scams that are difficult to identify.
Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Start your two-week free trial of Phishing Tackle security awareness training today.
