Re: [mailop] PayPal Phishing from Paypal servers.. Now coming through o365 as well

Fri, 13 Dec 2024 14:07:12 -0800 

The changes to EXO on SRS were relatively recent, back in 2021.

https://learn.microsoft.com/en-us/exchange/reference/sender-rewriting-scheme


- Mark Alley


On 12/13/2024 3:34 PM, Louis via mailop wrote:
Interesting! I'm surprised they forward email that fails SPF at all. Is that mostly a legacy thing? You don't see much legitimate email that fails SPF nowadays. 

Groetjes,
Louis
On Friday, December 13, 2024 10:01 PM, Mark Alley via mailop <mailop@mailop.org> wrote: 

    Based on what I'm seeing in those headers, SRS did not happen
    because it did not satisfy the conditions to have it apply.

    SRS will only apply if SPF passed authentication at the time
    Exchange Online (EXO) received it. If it failed SPF auth, EXO
    won't rewrite the RFC5321.mailfrom to preserve the failed result.

    - Mark Alley

    On 12/13/2024 2:36 PM, Jarland Donnell via mailop wrote:

    Sorry if I missed part of the discussion, but now they're
    circumventing the SRS headers and Microsoft is straight up
    spoofing PayPal envelope senders. First catch of this for me was
    today. Here's a look: https://mxbin.io/89sXAc

    The logs showing the envelope sender quite clearly as well:

    2024-12-13 19:22:25 1tMBF2-0000000F7eV-386r <= serv...@paypal.com
    H=mail-koreacentralazlp17013079.outbound.protection.outlook.com
    (SEYPR02CU001.outbound.protection.outlook.com) [40.93.138.79]
    P=esmtps X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no S=51168
    DKIM=paypal.com id=CE.66.22381.7B87C576@ccg01mail10 T="You've got
    a money request" from <serv...@paypal.com> for jarl...@mxroute.com

    Someone at Microsoft needs to get on this ASAP, and PayPal needs
    to have more faith in their SPF record and trade that soft fail.
    This is looking pretty bad. I'm considering this a friendly nudge
    to anyone watching this mailing list from both companies.

    On 2024-12-10 10:33, Michael Peddemors via mailop wrote:

    Ouch.. getting even harder for recipient spam protections to
    catch this guy, given that o365 is also a 'too big to block'..

    Standard Paypal Phone Scam we have seen coming from PayPal's own
    infrastructure.. But now via o365.. redaccted headers below..

    (PayPal should have stopped this at the source long ago)

    Maybe someone from o365 can confirm this..

    (Also, a duplicate Return-Path problem)

    Return-Path: <bounces+srs=9yaro=td@highlandspark.store>
    Received: from
    mail-psaapc01lp2042.outbound.protection.outlook.com (HELO
    APC01-PSA-obe.outbound.protection.outlook.com) (104.47.26.42)
        by be.cityemail.com with  (TLS_AES_256_GCM_SHA384 encrypted)
    ESMTPS
        (8698d6c0-b705-11ef-8ed5-4730eb8cb971); Tue, 10 Dec 2024
    06:46:24 -0800
    Received: from SEZPR04MB6682.apcprd04.prod.outlook.com
    (2603:1096:101:e3::14)
     by KL1PR0401MB6465.apcprd04.prod.outlook.com
    (2603:1096:820:9d::8) with
     Microsoft SMTP Server (version=TLS1_2,
     cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8207.24;
    Tue, 10 Dec
     2024 14:46:10 +0000
    Received: from JH0PR04MB7411.apcprd04.prod.outlook.com
    (2603:1096:990:47::6)
     by SEZPR04MB6682.apcprd04.prod.outlook.com
    (2603:1096:101:e3::14) with
     Microsoft SMTP Server (version=TLS1_2,
     cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8230.18;
    Tue, 10 Dec
     2024 14:45:59 +0000
    Received: from JH0PR04MB7411.apcprd04.prod.outlook.com
     ([fe80::f384:c663:7c1c:c4f1]) by
    JH0PR04MB7411.apcprd04.prod.outlook.com
     ([fe80::f384:c663:7c1c:c4f1%2]) with mapi id 15.20.8230.016;
    Tue, 10 Dec 2024
     14:45:58 +0000
    Received: from SG2PR02CA0015.apcprd02.prod.outlook.com
    (2603:1096:3:17::27) by
     KL1PR04MB7210.apcprd04.prod.outlook.com (2603:1096:820:fe::7)
    with Microsoft
     SMTP Server (version=TLS1_2,
    cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
     15.20.8230.19; Tue, 10 Dec 2024 13:40:13 +0000
    Received: from SG2PEPF000B66CA.apcprd03.prod.outlook.com
     (2603:1096:3:17:cafe::8a) by SG2PR02CA0015.outlook.office365.com
     (2603:1096:3:17::27) with Microsoft SMTP Server (version=TLS1_3,
     cipher=TLS_AES_256_GCM_SHA384) id 15.20.8230.15 via Frontend
    Transport; Tue,
     10 Dec 2024 13:40:13 +0000
    Authentication-Results: spf=pass (sender IP is 173.0.84.234)
     smtp.mailfrom=paypal.com; dkim=pass (signature was verified)
     header.d=paypal.com;dmarc=pass action=none header.from=paypal.com;
    Received-SPF: Pass (protection.outlook.com: domain of paypal.com
    designates
     173.0.84.234 as permitted sender) receiver=protection.outlook.com;
     client-ip=173.0.84.234; helo=mx10.slc.paypal.com; pr=C
    Received: from mx10.slc.paypal.com (173.0.84.234) by
     SG2PEPF000B66CA.mail.protection.outlook.com (10.167.240.22)
    with Microsoft
     SMTP Server (version=TLS1_2,
    cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
     15.20.8230.7 via Frontend Transport; Tue, 10 Dec 2024 13:40:12
    +0000
    DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1;
    c=relaxed/relaxed;
        q=dns/txt; i=@paypal.com; t=1733837110;
        h=From:From:Subject:Date:To:MIME-Version:Content-Type;
        bh=4Bo+xEAj0oIFcgcXBsH4ZnETeria/8Hb5NVyfSlIlRE=;
        b=J9gaiwmVtu2IwmWXt/DLX1M2PT1cqg2QgfzcQL0bjGpEjM+qf1bZKNquNonM0yUy

        A5kq/qTWa0nVF74UCu4H+fPmmPfCEZ8ay8c30nA8l8s4CTVgg1arwjUHxeO60ZZ7

        feTp3T41+M6qrsgFAGkGU6FGrmwucVCgtvhONS0vq3cNMwXvm7nMAuaSE45MPRsN

        22JVgGMW3zMAQZEMgz1euMlXcmlwFoI5rnXo28E6usdq/jpZR/jq2Cq9k5QJPEvF

        XE5QUY1yA4CwEy+awtojNwsm/B22e7sKozUkWpJPRaElrkKIGUuSadGkk07c+oCM

        ECqgrKIHXb8KaospjDRdag==;
    Content-Transfer-Encoding: quoted-printable
    Content-Type: text/html; charset="UTF-8"
    Date: Tue, 10 Dec 2024 05:25:10 -0800
    Message-ID: <FD.55.64208.63148576@ccg13mail10>
    MIME-Version: 1.0
    From: "serv...@paypal.com" <serv...@paypal.com>
    To: "noreplies2@highlandspark. store"
    <noreplies2@highlandspark.store>
    Subject: Invoice from JOHN WILLIAMS (0137)
    X-MaxCode-Template: RT000238
    X-PP-Priority: 0-none-true
    PP-Correlation-Id: f930175d3bf65
    X-PP-Email-transmission-Id: 2e2f0ff2-b6fa-11ef-bdeb-0580ea13bcaa
    X-PP-REQUESTED-TIME: 1733837106251
    X-Email-Type-Id: RT000238
    AMQ-Delivery-Message-Id: nullval
    X-XPT-XSL-Name: nullval
    Return-Path: serv...@paypal.com
    .....

    _______________________________________________
    mailop mailing list
    mailop@mailop.org
    https://list.mailop.org/listinfo/mailop


    _______________________________________________
    mailop mailing list
    mailop@mailop.org
    https://list.mailop.org/listinfo/mailop


_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to