Fortinet CISO Details 'Phish-Free' Phishing Scheme Using PayPal
Security Boulevard, Thursday, January 9th, 2025
A hacker is using Microsoft 365 test domains and distribution lists they create in a phishing campaign that breaks from traditional methods to bypass email security protections and entice victims to hand over their PayPal account information.
Calling the campaign 'phish-free PayPal phishing,' Fortinet CISO Carl Windsor wrote in a report this week that 'the beauty of this attack is that it doesn't use traditional phishing methods. The email, the URLs, and everything else are perfectly valid.'
Windsor was turned onto the scam when he received an email that looked like a reminder from PayPal for a payment request, in his case for $2,185.96. Both the sender's address and the included URL looked legitimate. The problem comes when a victim clicks on the URL.