Warning: Attackers Are Using DKIM Replay Attacks to Bypass Security Filters
KnowBe4, Tuesday, February 17th, 2026
Cybercriminals are abusing legitimate invoices and dispute notifications from popular services to send scam emails that bypass security filters, according to researchers at Kaseya's INKY. The attackers have used this technique to impersonate PayPal, Apple, DocuSign, HelloSign, and others.
'These platforms often allow users to enter a 'seller name' or add a custom note when creating an invoice or notification,' the researchers write. 'Attackers abuse this functionality by inserting scam instructions and a phone number into those user-controlled fields. They then send the resulting invoice or dispute notice to an email address they control, ensuring the malicious content is embedded in a legitimate, vendor-generated message.'
Since the emails themselves are sent from legitimate sources, they're more likely to land in users' inboxes. Humans are also more likely to fall for the scam if they see that the messages were sent from trusted vendors.