New PayPal phishing technique poses significant threat to users

According to an advisory from cybersecurity firm Fortinet, the scam employs a sophisticated method that circumvents standard email authentication measures, making it appear credible to recipients. The methodology used in this scam involves a scammer registering a free Microsoft 365 test domain and creating a distribution list that features targeted email addresses. 

By initiating a payment request via PayPal with this distribution list as the recipient, the scammer crafts a message that appears legitimate. The attack is aided by Microsoft’s Sender Rewrite Scheme (SRS), which modifies the sender address in queries to avoid detection by email security systems.

The structure and appearance of the phishing email closely resemble legitimate PayPal payment requests, passing most security checks. This finesse makes it challenging for email service providers to recognise these deceptive messages. 

As a result, only PayPal might be in a position to mitigate the risks posed by these fraudulent communications.

Elad Luz, head of research at Oasis Security, highlighted the unique characteristics of this phishing method. “Standard phishing methods typically require threat actors to craft and deliver emails to a wide audience,” he noted.

“In this case, however, the threat actors exploit a vendor feature to deliver their messages. The emails are sent from a verified source and follow an identical template to legitimate messages, such as a standard PayPal payment request.

“This makes [it] difficult for mailbox providers to distinguish [them] from genuine communications.”

As a measure of defence, Fortinet has called attention to the necessity of establishing a knowledgeable workforce as a “human firewall”. The emphasis on enhancing employee awareness around potential fraud is crucial, particularly in scrutinising unexpected payment requests. 

The company also advised implementing data loss prevention (DLP) rules to better identify and manage these sophisticated phishing attacks. Configured DLP rules can flag emails that involve multiple recipients tied to a distribution list, thereby isolating potential threats.

Stephen Kowski, field CTO at SlashNext, elaborated on innovative detection methods. He stated, “Using neural networks to analyze social graph patterns and other advanced AI techniques in more modern security tools helps spot these hidden interactions by analysing user behaviours more deeply than static filters.” 

Kowski mentioned that proactive detection engines can identify unusual messaging patterns or requests that may evade basic scrutiny. An in-depth analysis of user interaction metadata could catch the sophisticated tactics employed in this phishing approach.