Fortinet CISO Details ‘Phish-Free’ Phishing Scheme Using PayPal
A hacker is using Microsoft 365 test domains and distribution lists they create in a phishing campaign that breaks from traditional methods to bypass email security protections and entice victims to hand over their PayPal account information.
Calling the campaign “phish-free PayPal phishing,” Fortinet CISO Carl Windsor wrote in a report this week that “the beauty of this attack is that it doesn’t use traditional phishing methods. The email, the URLs, and everything else are perfectly valid.”
Windsor was turned onto the scam when he received an email that looked like a reminder from PayPal for a payment request, in his case for $2,185.96. Both the sender’s address and the included URL looked legitimate. The problem comes when a victim clicks on the URL.
“When you click on the link, you are redirected to a PayPal login page showing a request for payment,” the CISO wrote. “A panicked person may be tempted to log in with their account details, but this would be very dangerous. It links your PayPal account address with the address it was sent to – not where you received it.”
In this case, the address was the distribution list that the bad actor created. When the victim logs in to see what the payment request is all about, the scammer’s account gets linked to the victim’s, allowing the hacker to take control of the victim’s PayPal account, which Windsor called “a neat trick. It’s so neat, in fact, that it would sneak past even PayPal’s own phishing check instructions.”
A Test Domain and Distribution List
The hacker apparently registered a Microsoft 365 test domain, which are free for three months. They then created a distribution list that included victims’ emails.
“On the PayPal web portal, they simply request the money and add the distribution list as the address,” he wrote. “This money request is then distributed to the targeted victims, and the Microsoft365 SRS (Sender Rewrite Scheme) rewrites the sender to [the hacker’s distribution list].”
Bypassing Email Protections
The scheme enables the scammer to bypass various authentication hurdles, including SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, and Reporting and Conformance).
“Standard phishing methods typically require threat actors to craft and deliver emails to a wide audience,” said Elad Luz, head of research at identity management vendor Oasis Security. “These methods are relatively easy for mailbox providers to detect and block, as they can be quickly identified by their origin and content.”
This campaign is different because the bad actor is exploiting a vendor to deliver the messages, so they come from a verified source and follow a template that is identical to legitimate messages – in this case, a standard PayPal payment request, Luz said.
“This makes them difficult for mailbox providers to distinguish from genuine communications, leaving PayPal as potentially the only entity capable of mitigating the issue,” he said. “Furthermore, since PayPal operates as a payment platform, it directly facilitates the threat actor’s end goal.”
AI, Human Awareness Could Help
Luz suggested that PayPal and similar companies – which are popular targets of threat actors – may want to consider delaying transactions to allow more time to detect fraudulent activity, adding that he understood the challenge it would mean to maintaining customer satisfaction and the need to compensate affected customers.
Stephen Kowski, field CTO at SlashNext Email Security+, said AI could help spot such schemes by analyzing user behaviors more deeply than static filters can.
“That kind of proactive detection engine recognizes unusual group messaging patterns or requests that slip through basic checks,” Kowski said. “A thorough inspection of user interaction metadata will catch even this sneaky approach.”
Fortinet’s Windsor pointed to what he called the “human firewall”—someone trained to be aware and cautious of any unsolicited email no matter how genuine it looks.
“This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves – and your organization – safe,” he wrote.
