top | item 43205220

(no title)

0x0 | 1 year ago

I think I read somewhere that scammers set up an email distribution list / alias / forwarding from one something.onmicrosoft.com account to dozens of victims, and then they trigger a (real!) paypal email with that one something.onmicrosoft.com address as the recipient. So the email has a valid DKIM signature from paypal, then microsoft forwards that email to all the victims, which will still pass DKIM while amplifying the attack (and maybe boosted by microsoft's SPF reputation as well) to hit as many people as possible. Apparently the paypal emails are real but dangerous as they will allow the attacker to somehow take over the victim's account if they log in, as the "middleman" onmicrosoft.com alias then becomes associated with the account which was the original "to"-email from paypal. Something like that, at least.

discuss

citrin_ru|1 year ago

Messages pass DMARC because they originate at paypal servers (and have valid DKIM) but O365 abused to spread these messages and MS doing little to stop abuse.

compass_copium|1 year ago

Is there a legitimate reason for them to forward paypal emails? Why not just not let that happen under any circumstances?

0x0|1 year ago

Most email providers support mail forwarding and distribution lists, but maybe they should have added some sort of opt-in confirmation when adding recipients outside the local domain...?

redundantly|1 year ago

I imagine it's because PayPal uses azure in some capacity.

singron|1 year ago

If you use PayPal for your business, you might want the emails to go to a list for redundancy.