How hackers are using this Microsoft 365 feature to target PayPal accounts

Hackers are reportedly abusing Microsoft 365 feature to take over PayPal accounts

As part of an unusual phishing campaign, cybercriminals are reportedly abusing the SRS (Sender Rewrite Scheme) feature within Microsoft 365 to trick PayPal users and gain control over their accounts. Targeted PayPal account holders log into their accounts to make payments when actually, it is the hackers who end up taking control of their PayPal accounts, as per a report by Dark Reading. The report is based on a blog post by Carl Windsor, Chief Information Security Officer (CISO) at Fortinet Labs, who claims to have been targeted himself.

According to Windsor, the phishing attack is unconventional as the email address of the sender and the URL provided seem to be genuine. Generally, emails used in a phishing attack look suspicious.

Hackers reportedly are exploiting a Microsoft 365 feature to create a test domain which helps them build an email distribution list and then target PayPal users by sending requests for payment. Since the email address and the url look legit (“service@paypal.com”), the payment-request messages could be construed as being legitimate requests from PayPal.

How the PayPal phishing campaign works

“This money request is then distributed to the targeted victims, and the Microsoft365 SRS (Sender Rewrite Scheme) rewrites the sender to, e.g., bounces+SRS=onDJv=S6[@]5ln7g7.onmicrosoft.com, which will pass the SPF/DKIM/DMARC check. Once the panicking victim logs in to see what is going on, the scammer’s account, (Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com, in this case) gets linked to the victim’s account. The scammer can then take control of the victim's PayPal account—a neat trick. It’s so neat, in fact, that it would sneak past even PayPal’s own phishing check instructions”, the Fortinet CISO said in the blog post.

How to protect yourself against PayPal phishing campaign

According to Windsor, the best way to protect your PayPal account from such attacks is to use “the Human Firewall- someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look. This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves—and your organization—safe.”

He also advises to create a Data Loss Prevention (DLP) rule to look for multiple conditions that indicate that the email is being sent via a distribution list.