Fortinet warns of sophisticated phishing campaign exploiting Microsoft 365 domains

A new report from Fortinet Inc. came out today. FortiGuard Laboratories warns of a new sophisticated phishing campaign that uses test domains and Microsoft 365 mailing lists to bypass traditional email security protocols.

The campaign uses legitimate PayPal Holdings Inc. payment requests to trick victims into providing credentials. This approach effectively bypasses authentication mechanisms such as the Sender Policy Framework, DomainKeys Identified Mail, and domain-based message authentication, reporting and compliance, making attacks more difficult for individuals and organizations to detect and prevent.

Phishing attacks begin with the scammer registering a free Microsoft 365 test domain, valid for three months. Using the domain, the attacker then creates a mailing list that includes the victim’s email address along with others. The scammer then generates a PayPal payment request and sends it to the mailing list. The sender rewrite scheme ensures that the email appears legitimate, with no visible signs of tampering or forgery.

The email received by potential victims closely resembles a valid PayPal payment request and contains genuine URLs and sender details. If recipients then click on the redirect link provided, they will be taken to a page that appears to be a legitimate PayPal login page. At this point, if victims are unaware of the scam and enter their PayPal details, the attacker gains access to their PayPal account as well as the ability to perform unauthorized transactions.

Phishing schemes are far from new, but what makes this particular scheme interesting is that it not only uses legitimate emails and domains, but also avoids the usual hallmarks of traditional phishing, such as suspicious URLs or poorly written emails. FortiGuard Labs researchers note that even PayPal’s official guidelines for detecting phishing attempts may not help users identify this complex scheme.

Stephen Kovsky, chief technology officer of the company SlashNext Email Securitytold SiliconANGLE via email that it’s not new to see attackers using mailing lists in unexpected ways, and the PayPal pivot is just another variation on this theme.

“Using neural networks to analyze social graph patterns and other advanced artificial intelligence techniques in more modern security tools helps uncover these hidden interactions by analyzing user behavior more deeply than static filters,” Kovsky said. “This proactive detection mechanism recognizes unusual group message patterns or requests that fail basic validation. Careful inspection of user experience metadata will reveal even this sneaky approach.”

Image: SiliconANGLE/DALL-E 3