undefined | Better HN

0 points0x01y ago0 comments

I think I read somewhere that scammers set up an email distribution list / alias / forwarding from one something.onmicrosoft.com account to dozens of victims, and then they trigger a (real!) paypal email with that one something.onmicrosoft.com address as the recipient. So the email has a valid DKIM signature from paypal, then microsoft forwards that email to all the victims, which will still pass DKIM while amplifying the attack (and maybe boosted by microsoft's SPF reputation as well) to hit as many people as possible. Apparently the paypal emails are real but dangerous as they will allow the attacker to somehow take over the victim's account if they log in, as the "middleman" onmicrosoft.com alias then becomes associated with the account which was the original "to"-email from paypal. Something like that, at least.

0 comments

citrin_ru1y ago

Messages pass DMARC because they originate at paypal servers (and have valid DKIM) but O365 abused to spread these messages and MS doing little to stop abuse.

compass_copium1y ago

Is there a legitimate reason for them to forward paypal emails? Why not just not let that happen under any circumstances?

0x0OP1y ago

Most email providers support mail forwarding and distribution lists, but maybe they should have added some sort of opt-in confirmation when adding recipients outside the local domain...?

redundantly1y ago

I imagine it's because PayPal uses azure in some capacity.

singron1y ago

If you use PayPal for your business, you might want the emails to go to a list for redundancy.

j / k navigate · click thread line to collapse