A new report out today from Fortinet Inc.’s FortiGuard Labs is warning of a new, sophisticated phishing campaign that leverages Microsoft 365 test domains and distribution lists to bypass traditional email security protocols.

The campaign uses legitimate-looking PayPal Holdings Inc. payment requests to trick victims into providing their account credentials. The approach effectively bypasses authentication mechanisms such as Sender Policy Framework, DomainKeys Identified Mail and Domain-based Message Authentication, and Reporting and Conformance, making detection and prevention challenging for individuals and organizations.

The phishing attacks begin with the scammer registering a free Microsoft 365 test domain, valid for three months. Using the domain, the attacker then creates a distribution list that includes the victim’s email address alongside others. The scammer then generates a PayPal payment request and sends it to the distribution list. The Sender Rewrite Scheme ensures that the email appears legitimate, with no visible signs of tampering or forgery.

The email received by the potential victims closely resembles a valid PayPal payment request, complete with genuine-looking URLs and sender details. If the recipients then click on the provided link redirects, they are taken to what appears to be a legitimate PayPal login page. At this point, should the victims be unaware of the scam and enter their PayPal details, the attacker gains access to their PayPal account along with the ability to perform unauthorized transactions.

Phishing schemes are far from new, but where this particular scheme becomes interesting is that not only does it use legitimate-looking emails and domains, but it also avoids the normal hallmarks of traditional phishing, such as suspicious URLs or poorly written emails. The FortiGuard Labs researchers note that even PayPal’s official guidelines for spotting phishing attempts may not help users identify this sophisticated scheme.

Stephen Kowski, field chief technology officer at SlashNext Email Security, told SiliconANGLE via email that it’s not new to see attackers exploit distribution lists in unexpected ways, and the PayPal twist is just another variation on that theme.

“Using neural networks to analyze social graph patterns and other advanced AI techniques in more modern security tools help spot these hidden interactions by analyzing user behaviors more deeply than static filters,” Kowski said. “That kind of proactive detection engine recognizes unusual group messaging patterns or requests that slip through basic checks. A thorough inspection of user interaction metadata will catch even this sneaky approach.”

Image: SiliconANGLE/DALL-E 3