[mailop] PayPal Phishing from Paypal servers.. Now coming through o365 as well

Tue, 10 Dec 2024 08:45:07 -0800

Ouch.. getting even harder for recipient spam protections to catch this guy, given that o365 is also a 'too big to block'..
Standard Paypal Phone Scam we have seen coming from PayPal's own infrastructure.. But now via o365.. redaccted headers below.. 

(PayPal should have stopped this at the source long ago)

Maybe someone from o365 can confirm this..

(Also, a duplicate Return-Path problem)

Return-Path: <bounces+srs=9yaro=td@highlandspark.store>

Received: from mail-psaapc01lp2042.outbound.protection.outlook.com (HELO 
APC01-PSA-obe.outbound.protection.outlook.com) (104.47.26.42)

        by be.cityemail.com with  (TLS_AES_256_GCM_SHA384 encrypted) ESMTPS
        (8698d6c0-b705-11ef-8ed5-4730eb8cb971); Tue, 10 Dec 2024 06:46:24 -0800

Received: from SEZPR04MB6682.apcprd04.prod.outlook.com 
(2603:1096:101:e3::14)

 by KL1PR0401MB6465.apcprd04.prod.outlook.com (2603:1096:820:9d::8) with
 Microsoft SMTP Server (version=TLS1_2,

 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8207.24; Tue, 
10 Dec

 2024 14:46:10 +0000
Received: from JH0PR04MB7411.apcprd04.prod.outlook.com (2603:1096:990:47::6)
 by SEZPR04MB6682.apcprd04.prod.outlook.com (2603:1096:101:e3::14) with
 Microsoft SMTP Server (version=TLS1_2,

 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8230.18; Tue, 
10 Dec

 2024 14:45:59 +0000
Received: from JH0PR04MB7411.apcprd04.prod.outlook.com
 ([fe80::f384:c663:7c1c:c4f1]) by JH0PR04MB7411.apcprd04.prod.outlook.com

 ([fe80::f384:c663:7c1c:c4f1%2]) with mapi id 15.20.8230.016; Tue, 10 
Dec 2024

 14:45:58 +0000

Received: from SG2PR02CA0015.apcprd02.prod.outlook.com 
(2603:1096:3:17::27) by
 KL1PR04MB7210.apcprd04.prod.outlook.com (2603:1096:820:fe::7) with 
Microsoft
 SMTP Server (version=TLS1_2, 
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id

 15.20.8230.19; Tue, 10 Dec 2024 13:40:13 +0000
Received: from SG2PEPF000B66CA.apcprd03.prod.outlook.com
 (2603:1096:3:17:cafe::8a) by SG2PR02CA0015.outlook.office365.com
 (2603:1096:3:17::27) with Microsoft SMTP Server (version=TLS1_3,

 cipher=TLS_AES_256_GCM_SHA384) id 15.20.8230.15 via Frontend 
Transport; Tue,

 10 Dec 2024 13:40:13 +0000
Authentication-Results: spf=pass (sender IP is 173.0.84.234)
 smtp.mailfrom=paypal.com; dkim=pass (signature was verified)
 header.d=paypal.com;dmarc=pass action=none header.from=paypal.com;
Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates
 173.0.84.234 as permitted sender) receiver=protection.outlook.com;
 client-ip=173.0.84.234; helo=mx10.slc.paypal.com; pr=C
Received: from mx10.slc.paypal.com (173.0.84.234) by
 SG2PEPF000B66CA.mail.protection.outlook.com (10.167.240.22) with Microsoft

 SMTP Server (version=TLS1_2, 
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id

 15.20.8230.7 via Frontend Transport; Tue, 10 Dec 2024 13:40:12 +0000

DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; 
c=relaxed/relaxed;

        q=dns/txt; i=@paypal.com; t=1733837110;
        h=From:From:Subject:Date:To:MIME-Version:Content-Type;
        bh=4Bo+xEAj0oIFcgcXBsH4ZnETeria/8Hb5NVyfSlIlRE=;
        b=J9gaiwmVtu2IwmWXt/DLX1M2PT1cqg2QgfzcQL0bjGpEjM+qf1bZKNquNonM0yUy
        A5kq/qTWa0nVF74UCu4H+fPmmPfCEZ8ay8c30nA8l8s4CTVgg1arwjUHxeO60ZZ7
        feTp3T41+M6qrsgFAGkGU6FGrmwucVCgtvhONS0vq3cNMwXvm7nMAuaSE45MPRsN
        22JVgGMW3zMAQZEMgz1euMlXcmlwFoI5rnXo28E6usdq/jpZR/jq2Cq9k5QJPEvF
        XE5QUY1yA4CwEy+awtojNwsm/B22e7sKozUkWpJPRaElrkKIGUuSadGkk07c+oCM
        ECqgrKIHXb8KaospjDRdag==;
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
Date: Tue, 10 Dec 2024 05:25:10 -0800
Message-ID: <FD.55.64208.63148576@ccg13mail10>
MIME-Version: 1.0
From: "serv...@paypal.com" <serv...@paypal.com>
To: "noreplies2@highlandspark. store" <noreplies2@highlandspark.store>
Subject: Invoice from JOHN WILLIAMS (0137)
X-MaxCode-Template: RT000238
X-PP-Priority: 0-none-true
PP-Correlation-Id: f930175d3bf65
X-PP-Email-transmission-Id: 2e2f0ff2-b6fa-11ef-bdeb-0580ea13bcaa
X-PP-REQUESTED-TIME: 1733837106251
X-Email-Type-Id: RT000238
AMQ-Delivery-Message-Id: nullval
X-XPT-XSL-Name: nullval
Return-Path: serv...@paypal.com
.....


--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop






















					Reply via email to