The instances of this we've seen - aren't actually phishing, just fraud. Generating invoices via PayPal to an o365 address that then forwards that out to the final recipient.
In the cases we've seen if you look at the links they do actually go to PayPal and the invoice does actually exist there. My assumption on this was that they're casting a huge net with the invoices and just hoping that any of the targets pays it. I.e. generate an invoice, send it to 1,000 people and your chances of that 1 in 1000 paying it are higher than if you sent it one-by-one to your targets. Phishing would be directing them to a non-legitimate site to steal their credentials, not a legitimate site to steal their money [fraudulently due to an unauthorized invoice]. Thank you, Michael Denney MDDHosting LLC http://www.mddhosting.com/ > On Dec 10, 2024, at 11:33 AM, Michael Peddemors via mailop > <mailop@mailop.org> wrote: > > Ouch.. getting even harder for recipient spam protections to catch this guy, > given that o365 is also a 'too big to block'.. > > Standard Paypal Phone Scam we have seen coming from PayPal's own > infrastructure.. But now via o365.. redaccted headers below.. > > (PayPal should have stopped this at the source long ago) > > Maybe someone from o365 can confirm this.. > > (Also, a duplicate Return-Path problem) > > Return-Path: <bounces+srs=9yaro=td@highlandspark.store> > Received: from mail-psaapc01lp2042.outbound.protection.outlook.com (HELO > APC01-PSA-obe.outbound.protection.outlook.com) (104.47.26.42) > by be.cityemail.com with (TLS_AES_256_GCM_SHA384 encrypted) ESMTPS > (8698d6c0-b705-11ef-8ed5-4730eb8cb971); Tue, 10 Dec 2024 06:46:24 -0800 > Received: from SEZPR04MB6682.apcprd04.prod.outlook.com (2603:1096:101:e3::14) > by KL1PR0401MB6465.apcprd04.prod.outlook.com (2603:1096:820:9d::8) with > Microsoft SMTP Server (version=TLS1_2, > cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8207.24; Tue, 10 Dec > 2024 14:46:10 +0000 > Received: from JH0PR04MB7411.apcprd04.prod.outlook.com (2603:1096:990:47::6) > by SEZPR04MB6682.apcprd04.prod.outlook.com (2603:1096:101:e3::14) with > Microsoft SMTP Server (version=TLS1_2, > cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8230.18; Tue, 10 Dec > 2024 14:45:59 +0000 > Received: from JH0PR04MB7411.apcprd04.prod.outlook.com > ([fe80::f384:c663:7c1c:c4f1]) by JH0PR04MB7411.apcprd04.prod.outlook.com > ([fe80::f384:c663:7c1c:c4f1%2]) with mapi id 15.20.8230.016; Tue, 10 Dec 2024 > 14:45:58 +0000 > Received: from SG2PR02CA0015.apcprd02.prod.outlook.com (2603:1096:3:17::27) by > KL1PR04MB7210.apcprd04.prod.outlook.com (2603:1096:820:fe::7) with Microsoft > SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id > 15.20.8230.19; Tue, 10 Dec 2024 13:40:13 +0000 > Received: from SG2PEPF000B66CA.apcprd03.prod.outlook.com > (2603:1096:3:17:cafe::8a) by SG2PR02CA0015.outlook.office365.com > (2603:1096:3:17::27) with Microsoft SMTP Server (version=TLS1_3, > cipher=TLS_AES_256_GCM_SHA384) id 15.20.8230.15 via Frontend Transport; Tue, > 10 Dec 2024 13:40:13 +0000 > Authentication-Results: spf=pass (sender IP is 173.0.84.234) > smtp.mailfrom=paypal.com; dkim=pass (signature was verified) > header.d=paypal.com;dmarc=pass action=none header.from=paypal.com; > Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates > 173.0.84.234 as permitted sender) receiver=protection.outlook.com; > client-ip=173.0.84.234; helo=mx10.slc.paypal.com; pr=C > Received: from mx10.slc.paypal.com (173.0.84.234) by > SG2PEPF000B66CA.mail.protection.outlook.com (10.167.240.22) with Microsoft > SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id > 15.20.8230.7 via Frontend Transport; Tue, 10 Dec 2024 13:40:12 +0000 > DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; > c=relaxed/relaxed; > q=dns/txt; i=@paypal.com; t=1733837110; > h=From:From:Subject:Date:To:MIME-Version:Content-Type; > bh=4Bo+xEAj0oIFcgcXBsH4ZnETeria/8Hb5NVyfSlIlRE=; > b=J9gaiwmVtu2IwmWXt/DLX1M2PT1cqg2QgfzcQL0bjGpEjM+qf1bZKNquNonM0yUy > A5kq/qTWa0nVF74UCu4H+fPmmPfCEZ8ay8c30nA8l8s4CTVgg1arwjUHxeO60ZZ7 > feTp3T41+M6qrsgFAGkGU6FGrmwucVCgtvhONS0vq3cNMwXvm7nMAuaSE45MPRsN > 22JVgGMW3zMAQZEMgz1euMlXcmlwFoI5rnXo28E6usdq/jpZR/jq2Cq9k5QJPEvF > XE5QUY1yA4CwEy+awtojNwsm/B22e7sKozUkWpJPRaElrkKIGUuSadGkk07c+oCM > ECqgrKIHXb8KaospjDRdag==; > Content-Transfer-Encoding: quoted-printable > Content-Type: text/html; charset="UTF-8" > Date: Tue, 10 Dec 2024 05:25:10 -0800 > Message-ID: <FD.55.64208.63148576@ccg13mail10> > MIME-Version: 1.0 > From: "serv...@paypal.com" <serv...@paypal.com> > To: "noreplies2@highlandspark. store" <noreplies2@highlandspark.store> > Subject: Invoice from JOHN WILLIAMS (0137) > X-MaxCode-Template: RT000238 > X-PP-Priority: 0-none-true > PP-Correlation-Id: f930175d3bf65 > X-PP-Email-transmission-Id: 2e2f0ff2-b6fa-11ef-bdeb-0580ea13bcaa > X-PP-REQUESTED-TIME: 1733837106251 > X-Email-Type-Id: RT000238 > AMQ-Delivery-Message-Id: nullval > X-XPT-XSL-Name: nullval > Return-Path: serv...@paypal.com > ..... > > > -- > "Catch the Magic of Linux..." > ------------------------------------------------------------------------ > Michael Peddemors, President/CEO LinuxMagic Inc. > Visit us at http://www.linuxmagic.com @linuxmagic > A Wizard IT Company - For More Info http://www.wizard.ca > "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd. > ------------------------------------------------------------------------ > 604-682-0300 Beautiful British Columbia, Canada > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
