Dr Martin J. Krämer, Security Awareness Advocate at KnowBe4
The attackers’ phishing methods are constantly evolving – they are becoming more sophisticated and harder to detect. Recent events show that even established security mechanisms such as SPF, DKIM and DMARC are not always sufficient to ward off manipulated emails. In a recent phishing campaign analysed by Fortinet, attackers used Microsoft 365 test domains and the PayPal web portal to send seemingly credible payment requests. This case illustrates how cybercriminals are hijacking legitimate services to exploit security vulnerabilities and trap unwary users.
The attackers’ sophisticated approach
The phishing attack begins with the registration of a free Microsoft 365 test domain that gives the appearance of a legitimate sender. The attackers use this domain to create a distribution list with the target addresses and send payment requests directly via the PayPal web portal. The emails appear authentic because of the legitimately used services, which could lead the recipients to consider the request to be genuine.
If a victim clicks on the link contained in the email, they are redirected to what appears to be a PayPal login page where the payment request is displayed. In a panic, the user might try to log in – a dangerous mistake. This links the victim’s PayPal account to the fraudster’s account. From that moment on, the attacker can gain control over the victim’s account and cause enormous financial damage.
What is particularly noteworthy about this method is that the emails and links actually pass the sender authentication checks. The Microsoft 365 Sender Rewrite Scheme (SRS) changes the sender address so that it is recognised as legitimate despite its manipulative intent. This makes the attack so sophisticated that even PayPal’s own phishing detection mechanisms are unable to detect it.
The crucial role of the ‘human firewall’
This attack method makes it impressively clear that technical security measures alone are not enough to ward off modern cyber threats. In addition to technical solutions, raising employee awareness must be given the highest priority. Companies should invest in continuous training to enable their employees to recognise suspicious messages and not make hasty decisions. The attackers rely on the human factor – and this is precisely where the key to defence lies. Trained employees who are able to critically question even seemingly credible phishing emails are indispensable. The so-called ‘human firewall’ represents an essential layer of protection.