Full Report
A new PayPal phishing scam used genuine money requests, bypassing security checks to deceive recipients
Analysis Summary
This analysis focuses on the phishing technique described in the provided article snippet, which involves abusing PayPal's money request feature combined with Microsoft 365 email infrastructure to bypass security checks.
# Tool/Technique: PayPal Money Request Phishing via Microsoft 365 (SRS Abuse)
## Overview
This is a phishing execution technique where attackers initiate a legitimate PayPal money request, but route it through a Microsoft 365 environment using a free test domain. The goal is to deceive recipients into believing the request is authentic, often leading them to log into their PayPal accounts under duress.
## Technical Details
- Type: Technique (Social Engineering combined with infrastructure misuse)
- Platform: Email / Web services (Microsoft 365, PayPal)
- Capabilities: Bypassing typical sender authentication checks (DMARC/SPF/DKIM) due to modifications made by the M365 server infrastructure.
- First Seen: Recently identified (per the advisory mentioned).
## MITRE ATT&CK Mapping
Since this is a technique description rather than a specific piece of malware, the primary mapping relates to phishing and adversary-controlled infrastructure use:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Less likely, but possible if attachment/link is present)
- T1566.002 - Spearphishing via Service (Applicable, leveraging PayPal service for delivery)
- **TA0006 - Credential Access**
- T1078 - Valid Accounts (Goal is often to obtain credentials)
- T1078.004 - Cloud Accounts (Targeting PayPal access)
## Functionality
### Core Capabilities
- **PayPal Money Request Abuse:** Utilizing the legitimate functionality of requesting money via PayPal as the core delivery mechanism for the lure.
- **Infrastructure Misuse:** Registering free Microsoft 365 test domains specifically for executing the scam.
- **Authentication Bypass:** Leveraging the **Microsoft Sender Rewrite Scheme (SRS)** function within M365, which modifies the sender address upon receiving/forwarding mail, causing it to successfully pass the *recipient's* email authentication checks (SPF/DKIM checks based on the modified path).
### Advanced Features
- **Deceptive Sender Spoofing:** The SRS modification ensures the resulting email appears valid to the recipient’s mail server, even though the original sender was potentially malicious or external to the M365 tenant.
- **Bypassing PayPal Security Checks:** The resulting PayPal notification containing the link successfully passes PayPal's internal security checks, enhancing the perceived legitimacy of the request.
## Indicators of Compromise
*The article does not provide specific hashes or infrastructure details, only the methodology.*
- File Hashes: [Not Available]
- File Names: [Not Available]
- Registry Keys: [Not Applicable]
- Network Indicators: [No specific, defanged C2 indicators provided in the context.]
- Behavioral Indicators: Receipt of a PayPal money request where the sender address appears legitimate, but the context is suspicious, potentially leading to an immediate click/login under duress.
## Associated Threat Actors
- Scammers / Phishing Operators (General description, no specific APT group named in the excerpt).
## Detection Methods
- **Signature-based detection:** Ineffective against this method as it relies on legitimate service functionality (M365 SRS, PayPal requests).
- **Behavioral detection:** Monitoring for unusual PayPal payment requests originating from internally routed or newly registered M365 tenants. Analyzing email headers for evidence of SRS rewriting discrepancies alongside PayPal notifications.
- **YARA rules:** [Not Available]
## Mitigation Strategies
- **Sender Authentication Verification:** Organizations must ensure DMARC policies are strictly enforced and configured to reject emails that fail checks, even if they appear to have passed SRS modification checks on the receiving end.
- **User Education:** Training users to hover over links and to verify PayPal requests directly via the official PayPal portal rather than clicking links in unsolicited emails/notifications.
- **M365 Configuration Review:** Reviewing configurations related to external relay and ensuring appropriate controls are placed on newly spun-up or free trial tenants that might be used for malicious activity.
## Related Tools/Techniques
- Standard Phishing Kits
- Abuse of legitimate cloud infrastructure (e.g., utilizing SharePoint, Exchange Online for phishing delivery).