Re: [mailop] PayPal Phishing from Paypal servers.. Now coming through o365 as well

Thu, 12 Dec 2024 11:30:20 -0800 

Another annoying case..
MailGun IPs, probably compromised MailGun accounts.. pointed to o365 list addresses, to get the invoice vishing through.. 

Subject: New invoice INV02214 from Healthy Eats Cafe LLC
From: Healthy Eats Cafe LLC <anjvvqg0ess2z_tw-omph...@getinvoicesimple.com>
To: norep...@hendrixwarrenbryan074.onmicrosoft.com
X-Mailgun-Tag: is-invoice

Umm.. MailGun, that isn't an invoice.. It's Phishing..



On 2024-12-11 01:33, Alessandro Vesely via mailop wrote:

On Tue 10/Dec/2024 23:23:51 +0100 Andrew C Aitchison wrote:

On Tue, 10 Dec 2024, Michael Peddemors via mailop wrote:


Ouch.. getting even harder for recipient spam protections to catch 
this guy, given that o365 is also a 'too big to block'..



Standard Paypal Phone Scam we have seen coming from PayPal's own 
infrastructure.. But now via o365.. redaccted headers below..


(PayPal should have stopped this at the source long ago)

Maybe someone from o365 can confirm this..

(Also, a duplicate Return-Path problem)



DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; 
c=relaxed/relaxed;

    q=dns/txt; i=@paypal.com; t=1733837110;
    h=From:From:Subject:Date:To:MIME-Version:Content-Type;
    bh=4Bo+xEAj0oIFcgcXBsH4ZnETeria/8Hb5NVyfSlIlRE=;
    b=J9gaiwmVtu2IwmWXt/DLX1M2PT1cqg2QgfzcQL0bjGpEjM+qf1bZKNquNonM0yUy
    A5kq/qTWa0nVF74UCu4H+fPmmPfCEZ8ay8c30nA8l8s4CTVgg1arwjUHxeO60ZZ7
    feTp3T41+M6qrsgFAGkGU6FGrmwucVCgtvhONS0vq3cNMwXvm7nMAuaSE45MPRsN
    22JVgGMW3zMAQZEMgz1euMlXcmlwFoI5rnXo28E6usdq/jpZR/jq2Cq9k5QJPEvF
    XE5QUY1yA4CwEy+awtojNwsm/B22e7sKozUkWpJPRaElrkKIGUuSadGkk07c+oCM
    ECqgrKIHXb8KaospjDRdag==;


Ah yes,  h= does not include Message-ID :-(



It wouldn't be a problem to replay a message preserving Message-ID.


The weak point is to allow the sender's note to cheat, giving the phish 
number as if it were Paypal's.  I understand Paypal don't want to put 
their own phone number for people to call whenever in doubt.  However, 
they could put an advice telling so, and were to report abuse.


Best
Ale



--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop























					Reply via email to