A sophisticated phishing campaign targeting PayPal users has been discovered by cybersecurity firm Fortinet, using legitimate links and Microsoft 365 infrastructure to compromise accounts.
The attackers employ a clever technique that bypasses traditional security checks by sending seemingly authentic PayPal payment request notifications. These phishing emails contain genuine PayPal URLs and sender addresses, making them particularly difficult to identify as fraudulent.
The scam works by registering a temporary Microsoft 365 test domain and creating a distribution list containing victim email addresses. The attackers then initiate PayPal payment requests to this distribution list. When unsuspecting users click the legitimate PayPal link and log in to check the payment request, their accounts become linked to the scammer's email address instead of their own.
"The beauty of this attack is that it doesn't use traditional phishing methods. The email, the URLs, and everything else are perfectly valid," notes Fortinet in their report. The scheme is so sophisticated that it can bypass even PayPal's own phishing detection systems.
What makes this campaign particularly dangerous is its use of authentic infrastructure and legitimate links, rather than the fake websites typically associated with phishing attacks. Users who receive unexpected PayPal notifications should exercise extreme caution, even when the emails appear genuine.
The most effective defense against this type of attack is user awareness and careful scrutiny of unexpected payment requests, regardless of how legitimate they may appear. Organizations are advised to provide comprehensive security training to help employees recognize and respond appropriately to such sophisticated phishing attempts.
This new campaign demonstrates how cybercriminals continue to evolve their tactics, leveraging legitimate services and infrastructure to conduct increasingly sophisticated attacks.