How PayPal is being misused for sophisticated fraud

February 3, 2025

Dr Martin J. Krämer, Security Awareness Advocate at KnowBe4

The attackers’ phishing methods are constantly evolving – they are becoming more sophisticated and harder to detect. Recent events show that even established security mechanisms such as SPF, DKIM and DMARC are not always sufficient to ward off manipulated emails. In a recent phishing campaign analysed by Fortinet, attackers used Microsoft 365 test domains and the PayPal web portal to send seemingly credible payment requests. This case illustrates how cybercriminals are hijacking legitimate services to exploit security vulnerabilities and trap unwary users.

The attackers’ sophisticated approach

The phishing attack begins with the registration of a free Microsoft 365 test domain that gives the appearance of a legitimate sender. The attackers use this domain to create a distribution list with the target addresses and send payment requests directly via the PayPal web portal. The emails appear authentic because of the legitimately used services, which could lead the recipients to consider the request to be genuine.

If a victim clicks on the link contained in the email, they are redirected to what appears to be a PayPal login page where the payment request is displayed. In a panic, the user might try to log in – a dangerous mistake. This links the victim’s PayPal account to the fraudster’s account. From that moment on, the attacker can gain control over the victim’s account and cause enormous financial damage.

What is particularly noteworthy about this method is that the emails and links actually pass the sender authentication checks. The Microsoft 365 Sender Rewrite Scheme (SRS) changes the sender address so that it is recognised as legitimate despite its manipulative intent. This makes the attack so sophisticated that even PayPal’s own phishing detection mechanisms are unable to detect it.

The crucial role of the ‘human firewall’

This attack method makes it impressively clear that technical security measures alone are not enough to ward off modern cyber threats. In addition to technical solutions, raising employee awareness must be given the highest priority. Companies should invest in continuous training to enable their employees to recognise suspicious messages and not make hasty decisions. The attackers rely on the human factor – and this is precisely where the key to defence lies. Trained employees who are able to critically question even seemingly credible phishing emails are indispensable. The so-called ‘human firewall’ represents an essential layer of protection.

Related Articles

Euralarm releases new white paper on fire alarm sensors

Euralarm releases new white paper on fire alarm sensors

Euralarm has published a White Paper on multi-sensor fire detectors and how these devices can help to reduce false alarms. The document is intended for fire safety professionals, building managers, and regulatory authorities. Fire detection is a critical component of...

Face recognition 2.0 from a great distance

Face recognition 2.0 from a great distance

LiDAR system from researchers at Heriot-Watt University impresses with extremely high resolution: Comparison of a LiDAR image with the original (Photo: Aongus McCarthy, hw.ac.uk) In the future, it will be possible to recognise a face from a distance of hundreds of...

‘SUPER’ races safely through treacherous terrain

‘SUPER’ races safely through treacherous terrain

Drones developed by engineers at the University of Hong Kong use LiDAR technology to orient themselves ‘SUPER’ is what roboticists at the University of Hong Kong (https://www.hku.hk/ ) call their new flying robot, which is designed to move through unfamiliar terrain...

Share This