For the record, the same actor appears to be doing the same thing with
Docusign through o365
Sender: DocuSign NA4 System <dse_...@docusign.net>
Reply-To: "Alina Watson" <gtckesh...@puffmail.shop>
Feedback-ID:
1:523eb52b4e53ae6db5e19a7961b3c6ae:RecipientEnvelopeComplete:Docusign_Prod
X-DS-Score: 1
From: "Alina Watson via Docusign" <dse_...@docusign.net>
On 2024-12-10 14:34, Michael Peddemors via mailop wrote:
For the record, this has been going on for some months now..
We have been even keeping track of the phone numbers used in this scam,
but we already notice that they are attempting to obfuscate the phone
numbers..
As Louis pointed out, it's the 'sellers note' that is being abused.. as
well as the underlying invoice system itself, to change the destination
email address for the invoice..
For those of you who have NOT yet seen one of these, including a
snapshot as an attachment..
On 2024-12-10 14:10, Michael Denney via mailop wrote:
Aha!
That makes perfect sense - and I'm not sure how I overlooked that detail.
Much appreciated for clarifying that.
I too have had no luck getting PayPal to do anything about it,
although I didn't point out the phishing part as I honestly hadn't
noticed that. I just looked at the headers to see if the email was
legitimately from PayPal and not the content... rookie mistake.
Thank you,
Michael Denney
MDDHosting LLC
http://www.mddhosting.com/
On Dec 10, 2024, at 5:00 PM, Louis via mailop <mailop@mailop.org> wrote:
I've been getting these as well. They get DKIM signed messages and
then resend them to another recipient. Could be automatic forwarding,
but they could also be manually resending it. They do not alter the
message, so DKIM passes. So, what's the deal, you ask?
Inside the "seller's note" is a text about contacting PayPal at some
phone number if you don't recognize the transaction, which is where
you'll get phished. As at that point you're calling the phisher.
So yes, it's phishing. No, DKIM isn't at fault here. If PayPal didn't
allow user generated content in these emails, this issue would not
exist. It's completely on PayPal side. I've already reported this
instance to them on Thursday, but I remember many months ago we had
the exact topic. PayPal must be aware, they're just not doing
anything about it.
Groetjes,
Louis
On Tuesday, December 10, 2024 10:20 PM, Michael Denney via mailop
<mailop@mailop.org> wrote:
Are they modifying the message as a part of the relay to adjust
the phone number?
Isn’t DKIM supposed to prevent in-flight modification of emails?
It looks like based upon the headers provided - the original
message is dkim signed.
Maybe it’s being stripped out when it’s relayed?
Regardless - when we reached out to PayPal we couldn’t manage to
get anyone to understand what was happening. Microsoft has been
even less helpful.
Thank you,
Michael Denney
MDDHosting LLC
https://www.mddhosting.com/ <https://www.mddhosting.com/>
On Dec 10, 2024, at 2:18 PM, Faisal Misle via mailop
<mailop@mailop.org <mailto:mailop@mailop.org>> wrote:
No, as far as I understand, that's the name of the forwarder
address. Whether a mailbox or a distribution list.
Best,
Faisal
On Dec 10, 2024, at 7:54 PM, Alessandro Vesely via mailop
<mailop@mailop.org <mailto:mailop@mailop.org>> wrote:
On Tue 10/Dec/2024 17:49:38 +0100 Laura Atkins wrote:
There is a huge amount of replay going on right now with
domains that are p=reject. Venmo is getting hit - and it’s
coming through various infrastructures.
So the To: "noreplies2@highlandspark
<mailto:noreplies2@highlandspark>. store"
<noreplies2@highlandspark.store
<mailto:noreplies2@highlandspark.store>> line was bogus?
Best
Ale
--
_______________________________________________
mailop mailing list
mailop@mailop.org <mailto:mailop@mailop.org>
https://list.mailop.org/listinfo/mailop
<https://list.mailop.org/listinfo/mailop>
_______________________________________________
mailop mailing list
mailop@mailop.org <mailto:mailop@mailop.org>
https://list.mailop.org/listinfo/mailop
<https://list.mailop.org/listinfo/mailop>
_______________________________________________
mailop mailing list
mailop@mailop.org <mailto:mailop@mailop.org>
https://list.mailop.org/listinfo/mailop
<https://list.mailop.org/listinfo/mailop>
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
