Dave Funk wrote:
The examples of this scam that I've seen use that same PayPal comment
tactic but then route it to an Office-365 mailbox which has a redirect
to the victim's address.
So the resultant message has both PayPal & O-365 valid DKIM signatures;
not to mention the multiple KB of O-365 header cruft which makes it hard
to trace the original source.
Just to throw some extra, um, "joy" into this conversation...
I've just seen a sample, received directly by our spam filter tuning
role account, that first travelled through a Google account (probably
GMail, if I've unwound the headers right), which forwarded to the
compromised/scammer-owned M365 tenant, which forwarded to us (and who
knows who all else.
I'll report it to PayPal, Google, and MS, but watch as nothing happens...
GNGGNGNGNGNNNNNNNNNGGH.....
-kgd
