As a CISO, I am always on high alert for phishing attempts, and this recent example immed 2025-1-8 14:0:0 Author: feeds.fortinet.com(查看原文) 阅读量:4 收藏
As a CISO, I am always on high alert for phishing attempts, and this recent example immediately set off alarm bells. Most obviously, why am I even receiving this request? I don’t use my corporate email address in PayPal. Additionally, the To: address, “Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com,” is not mine.
Usually, this would result in a ‘report and move on’ action from me, but I was a little intrigued. Whenever I see a phishing email, I always think, WWMMD (what would my Mum do?). How would I have responded based on all the methods I have told her to look for?
Looking for the obvious phishing tell-tales
Firstly, the sender address appears to be valid and not spoofed.
…and the URL looks genuine.
At this point, this seems to be a genuine email—at least, my mum might think so. So, what is going on?
What’s the catch?
A genuine email can’t still be a problem, can it? Well, here is the catch in this instance. When you click on the link, you are redirected to a PayPal login page showing a request for payment. A panicked person may be tempted to log in with their account details, but this would be very dangerous. It links your PayPal account address with the address it was sent to—not where you received it. In this case, PayPal thinks it sent this request to Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com
How does this work?
The scammer appears to have simply registered an MS365 test domain, which is free for three months, and then created a Distribution List (Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com) containing victim emails, as shown below:
On the PayPal web portal, they simply request the money and add the distribution list as the address:
This money request is then distributed to the targeted victims, and the Microsoft365 SRS (Sender Rewrite Scheme) rewrites the sender to, e.g., bounces+SRS=onDJv=S6[@]5ln7g7.onmicrosoft.com, which will pass the SPF/DKIM/DMARC check.
Once the panicking victim logs in to see what is going on, the scammer’s account (Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com) gets linked to the victim’s account. The scammer can then take control of the victim's PayPal account—a neat trick. It’s so neat, in fact, that it would sneak past even PayPal’s own phishing check instructions.
How do I protect myself?
The beauty of this attack is that it doesn’t use traditional phishing methods. The email, the URLs, and everything else are perfectly valid. Instead, the best solution is the Human Firewall—someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look. This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves—and your organization—safe.
FortiMail Protection
This is a perfectly valid email in most ways. However, it is still possible to create a DLP rule to look for multiple conditions that indicate that this email is being sent via a distribution list. The following rule will successfully identify such a case.
如有侵权请联系:admin#unsafe.sh