Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning
On 2022-11-18 at 11:38 -0800, Ken Simpson wrote: > Hi Michael, > > I've seen the raw email; it did come from PayPal. PayPal needs to get > better at recognizing brand images so that this kind of impersonation > is more difficult on their platform. No doubt they are already > working on that. > > Ken I don't think this is really a computer vision problem. The brand is there in plain text: "Walmart". The problem is the old "Who is allowed to use name X" ? In this case, to issue invoices. Only "Walmart Inc.", the american corporation? Also their subsidieries in other countries? What if I create a company named "Walmart" in Pretoria, Nicosia or Yakutsk? What about companies trading as Foo where they actually have a completely different legal name? Maybe for internationally protected brands, it would be easier to block them. Once they filter that I suspect the next would be for « ꓪΑ1ΜΑꓣŦ », but one step at a time. Detecting homoglyphs does seem more tractable. Regards ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning
PayPal is best positioned to solve this problem because it can police the logo images its customers upload. That being said, this type of platform abuse, while not entirely new, seems to be increasing. Please get in touch with me if you are interested in testing our computer vision API that recognizes brand impersonation by rendering messages in headless browsers and then running a computer vision model. The API is experimental, but we are keen to get feedback from others. Regards, Ken (MailChannels) On Fri, Nov 18, 2022 at 2:53 PM Jarland Donnell via mailop < mailop@mailop.org> wrote: > Basically, you go here: > https://www.paypal.com/invoice/s/manage > > Click the gear symbol, Business Information, fill out what you want and > add a logo. Then click Save, create an invoice for someone, and PayPal > will send it to them. There's not much of anything that any of us can do > to filter it without risking false positives, because we'll never have > any consistent idea of what's real and fake when it all comes from such > a high reputation sender using a feature that we don't necessarily want > to block recipients from being able to use. > > On 2022-11-18 15:30, Michael Wise via mailop wrote: > > This .. is what I wanted to see. > > > > Did it really go to you, or did it stop off somewhere else first? > > > > To: zachery Rose > > > > It does appear that it went direct, so my initial theory is off I > > guess. > > > > Aloha, > > > > Michael. > > > > -- > > > > Michael J Wise > > Microsoft Corporation| Spam Analysis > > > > "Your Spam Specimen Has Been Processed." > > > > Open a ticket for Hotmail [3] ? > > > > From: mailop On Behalf Of Zach Rose via > > mailop > > Sent: Friday, November 18, 2022 11:38 AM > > Cc: mailop@mailop.org > > Subject: Re: [mailop] [EXTERNAL] Really good paypal phishing email > > this morning > > > > Yeah, that's my theory at the moment, very likely that the call is > > coming from inside the house, but they didn't find the person who made > > the call before it was made. > > > > Delivered-To: REDACTED > > Received: by 2002:a05:640c:1b81:b0:190:7afb:ee7a with SMTP id > > r1csp516216eiw; > > Fri, 18 Nov 2022 06:23:32 -0800 (PST) > > X-Google-Smtp-Source: > > > AA0mqf6dcoQaNhG4JYaaq7jvwEAJxfF8XCQ2Zy1qPt4mGssaSyPzrvU0HsohJxkBvLOIjhuKLb6N > > X-Received: by 2002:a65:67d1:0:b0:476:87ad:9d78 with SMTP id > > b17-20020a6567d100b0047687ad9d78mr6785903pgs.169.1668781412334; > > Fri, 18 Nov 2022 06:23:32 -0800 (PST) > > ARC-Seal: i=1; a=rsa-sha256; t=1668781412; cv=none; > > d=google.com [4]; s=arc-20160816; > > > > b=U4pbrfCYSxjulk8kCNLer1j7TfaCaowzf2yDYMqeQMVmG4g/JvAXzf0m4serzWoqTi > > > > OBEY9TrwfM2j3yQssfS8OMOnWmBP+pO7KYBmg67sBb57BdZlx/+txIylik9rNKuyXsEh > > > > O5+LN63Y1RqiSPLK44tgV3uHSeYS5n+qE0gJHgS1lojzvH/tEkxESiQHix+K7sWYnBUt > > > > EXjoD4UKa4x1WGOsOPsb64AYM/AMs2TImhoZCqg+tT2Otsn1/Hz34iMozy9tR0yBB15q > > > > +Eq4bNx9gjV8EpetyAjAQF7XHwWknzhig/MtiVy76GwNuCpUxd8yW+Bw3/fwTtBL6zl6 > > QFYQ== > > ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; > > d=google.com [4]; s=arc-20160816; > > h=amq-delivery-message-id:mime-version:from:to:subject > > :pp-correlation-id:message-id:date:content-transfer-encoding > > :dkim-signature; > > bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=; > > > > b=PbkHny3v4CR7wqQUcdh8f9PRFBMO+7dUlCVLzG9d8uDG0Uc+4jNqlkRB5chwPq1AUw > > > > QG3rN1n+lpU1t/MEz0fnZ2k1Rwzrr0j/2L0fHhhX0eJ8UheOHbcVNDSF1hjDfwPayN43 > > > > ggWon6WA5mEYJ6jTPt5ODvSC0shj5SrQBq2C57tCG4WOjWGK63UhilfiZS/GgpoyzgvG > > > > UItaCRQKijOkG9k8bNub0rZ77LEdRoCK6RaEe6mhKmTv0doesmgdyhlb8+1e8V8Uvy7T > > > > tqhqfvqUyzVOgL5HmUZIjNl/XkNXA966EGTLfDqf1DWDsf0LRjpZpJiJViixPJ63UMKA > > /azQ== > > ARC-Authentication-Results: i=1; mx.google.com [5]; > >dkim=pass header.i=@paypal.com [6] header.s=pp-dkim1 > > header.b=i5V5Jd8P; > >spf=pass (google.com [4]: domain of serv...@paypal.com > > designates 66.211.170.89 as permitted sender) > > smtp.mailfrom=serv...@paypal.com; > >dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com > > [6] > > Return-Path: > > Received: from mx1.phx.paypal.com [7] (mx3.phx.paypal.com [8]. > > [66.211.170.89]) > > by mx.google.com [5] with ESMTPS id > > c5-20020a655a8500b0044fb332e9c2si4180181pgt.560.2022.11.18.06.23.32 > > for > > (version=TLS1_2 cipher=E
Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning
On Sat 19/Nov/2022 12:46:01 +0100 Alessandro Vesely wrote: Something is strange in that header... There is no local A-R, based on that header, both signatures (DKIM and AMS) fail to verify irrespective of the body hash. Oops, that's the redaction. ARC-Seal is good, which means Google really wrote dkim=pass; spf=pass; dmarc=pass. Best Ale -- ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning
On Fri 18/Nov/2022 20:38:11 +0100 Ken Simpson via mailop wrote: I've seen the raw email; You mean not the header Zach posted? it did come from PayPal. Something is strange in that header... There is no local A-R, based on that header, both signatures (DKIM and AMS) fail to verify irrespective of the body hash. PayPal needs to get better at recognizing brand images so that this kind of impersonation is more difficult on their platform. No doubt they are already working on that. If the message was from Paypal, I guess if Zach had paid he'd have been eligible for reimbursement. Best Ale -- ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning
Looks like this is evolving. The first round was the scammers impersonating PayPal. Looks like they got a handle on that (after a few weeks) but failed to think like the bad guys and anticipate the next round. Hopefully the fix is something that can be tweaked to cover brands not PayPal rather than having to invent a new system to identify this kind of phish. Laura Sent from my iPhone > On Nov 18, 2022, at 9:35 PM, Michael Wise via mailop > wrote: > > > > This .. is what I wanted to see. > Did it really go to you, or did it stop off somewhere else first? > > To: zachery Rose > > It does appear that it went direct, so my initial theory is off I guess. > > Aloha, > Michael. > -- > Michael J Wise > Microsoft Corporation| Spam Analysis > "Your Spam Specimen Has Been Processed." > Open a ticket for Hotmail ? > > From: mailop On Behalf Of Zach Rose via mailop > Sent: Friday, November 18, 2022 11:38 AM > Cc: mailop@mailop.org > Subject: Re: [mailop] [EXTERNAL] Really good paypal phishing email this > morning > > Yeah, that's my theory at the moment, very likely that the call is coming > from inside the house, but they didn't find the person who made the call > before it was made. > > > Delivered-To: REDACTED > Received: by 2002:a05:640c:1b81:b0:190:7afb:ee7a with SMTP id r1csp516216eiw; > Fri, 18 Nov 2022 06:23:32 -0800 (PST) > X-Google-Smtp-Source: > AA0mqf6dcoQaNhG4JYaaq7jvwEAJxfF8XCQ2Zy1qPt4mGssaSyPzrvU0HsohJxkBvLOIjhuKLb6N > X-Received: by 2002:a65:67d1:0:b0:476:87ad:9d78 with SMTP id > b17-20020a6567d100b0047687ad9d78mr6785903pgs.169.1668781412334; > Fri, 18 Nov 2022 06:23:32 -0800 (PST) > ARC-Seal: i=1; a=rsa-sha256; t=1668781412; cv=none; > d=google.com; s=arc-20160816; > b=U4pbrfCYSxjulk8kCNLer1j7TfaCaowzf2yDYMqeQMVmG4g/JvAXzf0m4serzWoqTi > OBEY9TrwfM2j3yQssfS8OMOnWmBP+pO7KYBmg67sBb57BdZlx/+txIylik9rNKuyXsEh > O5+LN63Y1RqiSPLK44tgV3uHSeYS5n+qE0gJHgS1lojzvH/tEkxESiQHix+K7sWYnBUt > EXjoD4UKa4x1WGOsOPsb64AYM/AMs2TImhoZCqg+tT2Otsn1/Hz34iMozy9tR0yBB15q > +Eq4bNx9gjV8EpetyAjAQF7XHwWknzhig/MtiVy76GwNuCpUxd8yW+Bw3/fwTtBL6zl6 > QFYQ== > ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; > s=arc-20160816; > h=amq-delivery-message-id:mime-version:from:to:subject > :pp-correlation-id:message-id:date:content-transfer-encoding > :dkim-signature; > bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=; > b=PbkHny3v4CR7wqQUcdh8f9PRFBMO+7dUlCVLzG9d8uDG0Uc+4jNqlkRB5chwPq1AUw > QG3rN1n+lpU1t/MEz0fnZ2k1Rwzrr0j/2L0fHhhX0eJ8UheOHbcVNDSF1hjDfwPayN43 > ggWon6WA5mEYJ6jTPt5ODvSC0shj5SrQBq2C57tCG4WOjWGK63UhilfiZS/GgpoyzgvG > UItaCRQKijOkG9k8bNub0rZ77LEdRoCK6RaEe6mhKmTv0doesmgdyhlb8+1e8V8Uvy7T > tqhqfvqUyzVOgL5HmUZIjNl/XkNXA966EGTLfDqf1DWDsf0LRjpZpJiJViixPJ63UMKA > /azQ== > ARC-Authentication-Results: i=1; mx.google.com; >dkim=pass header.i=@paypal.com header.s=pp-dkim1 header.b=i5V5Jd8P; >spf=pass (google.com: domain of serv...@paypal.com designates > 66.211.170.89 as permitted sender) smtp.mailfrom=serv...@paypal.com; >dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com > Return-Path: > Received: from mx1.phx.paypal.com (mx3.phx.paypal.com. [66.211.170.89]) > by mx.google.com with ESMTPS id > c5-20020a655a8500b0044fb332e9c2si4180181pgt.560.2022.11.18.06.23.32 > for > (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); > Fri, 18 Nov 2022 06:23:32 -0800 (PST) > Received-SPF: pass (google.com: domain of serv...@paypal.com designates > 66.211.170.89 as permitted sender) client-ip=66.211.170.89; > Authentication-Results: mx.google.com; >dkim=pass header.i=@paypal.com header.s=pp-dkim1 header.b=i5V5Jd8P; >spf=pass (google.com: domain of serv...@paypal.com designates > 66.211.170.89 as permitted sender) smtp.mailfrom=serv...@paypal.com; >dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com > DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; > c=relaxed/relaxed; > q=dns/txt; i=@paypal.com; t=1668781410; > h=From:From:Subject:Date:To:MIME-Version:Content-Type; > bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=; > b=i5V5Jd8PU85hThj/qbYYNVtrAe9utMx13ls4RqO/wxfIUwhUDUQ0jzygOkTfY88K > BE74YiE8NsQGHdn4tMuGpInCw+7bnGFPBmOrlk22QztSUjqPH80z6lDtI7NrPpF6 > RYaiNevk4cJU4eEXXyr6fIT1fdcDwFdL4WErZ0w0KLpgYwd7dnwgqDrgvDWNJQWd > wzgmA+qZ+9UUrDCsv/h3JCmWBoJaFs3Eaph019ifvg2hLCvZ6Zo3iEqE8aLFQx3b > PDgFKnpTxxI+E1HaIpZJGQwpSI2q7TYrSKvwEBwko9OFXkWe9zlngcE/Km17TlpB > 0ujZJGDU7e4EtiOBfTM96g==; > Content-Transfer-En
Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning
Basically, you go here: https://www.paypal.com/invoice/s/manage Click the gear symbol, Business Information, fill out what you want and add a logo. Then click Save, create an invoice for someone, and PayPal will send it to them. There's not much of anything that any of us can do to filter it without risking false positives, because we'll never have any consistent idea of what's real and fake when it all comes from such a high reputation sender using a feature that we don't necessarily want to block recipients from being able to use. On 2022-11-18 15:30, Michael Wise via mailop wrote: This .. is what I wanted to see. Did it really go to you, or did it stop off somewhere else first? To: zachery Rose It does appear that it went direct, so my initial theory is off I guess. Aloha, Michael. -- Michael J Wise Microsoft Corporation| Spam Analysis "Your Spam Specimen Has Been Processed." Open a ticket for Hotmail [3] ? From: mailop On Behalf Of Zach Rose via mailop Sent: Friday, November 18, 2022 11:38 AM Cc: mailop@mailop.org Subject: Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning Yeah, that's my theory at the moment, very likely that the call is coming from inside the house, but they didn't find the person who made the call before it was made. Delivered-To: REDACTED Received: by 2002:a05:640c:1b81:b0:190:7afb:ee7a with SMTP id r1csp516216eiw; Fri, 18 Nov 2022 06:23:32 -0800 (PST) X-Google-Smtp-Source: AA0mqf6dcoQaNhG4JYaaq7jvwEAJxfF8XCQ2Zy1qPt4mGssaSyPzrvU0HsohJxkBvLOIjhuKLb6N X-Received: by 2002:a65:67d1:0:b0:476:87ad:9d78 with SMTP id b17-20020a6567d100b0047687ad9d78mr6785903pgs.169.1668781412334; Fri, 18 Nov 2022 06:23:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668781412; cv=none; d=google.com [4]; s=arc-20160816; b=U4pbrfCYSxjulk8kCNLer1j7TfaCaowzf2yDYMqeQMVmG4g/JvAXzf0m4serzWoqTi OBEY9TrwfM2j3yQssfS8OMOnWmBP+pO7KYBmg67sBb57BdZlx/+txIylik9rNKuyXsEh O5+LN63Y1RqiSPLK44tgV3uHSeYS5n+qE0gJHgS1lojzvH/tEkxESiQHix+K7sWYnBUt EXjoD4UKa4x1WGOsOPsb64AYM/AMs2TImhoZCqg+tT2Otsn1/Hz34iMozy9tR0yBB15q +Eq4bNx9gjV8EpetyAjAQF7XHwWknzhig/MtiVy76GwNuCpUxd8yW+Bw3/fwTtBL6zl6 QFYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com [4]; s=arc-20160816; h=amq-delivery-message-id:mime-version:from:to:subject :pp-correlation-id:message-id:date:content-transfer-encoding :dkim-signature; bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=; b=PbkHny3v4CR7wqQUcdh8f9PRFBMO+7dUlCVLzG9d8uDG0Uc+4jNqlkRB5chwPq1AUw QG3rN1n+lpU1t/MEz0fnZ2k1Rwzrr0j/2L0fHhhX0eJ8UheOHbcVNDSF1hjDfwPayN43 ggWon6WA5mEYJ6jTPt5ODvSC0shj5SrQBq2C57tCG4WOjWGK63UhilfiZS/GgpoyzgvG UItaCRQKijOkG9k8bNub0rZ77LEdRoCK6RaEe6mhKmTv0doesmgdyhlb8+1e8V8Uvy7T tqhqfvqUyzVOgL5HmUZIjNl/XkNXA966EGTLfDqf1DWDsf0LRjpZpJiJViixPJ63UMKA /azQ== ARC-Authentication-Results: i=1; mx.google.com [5]; dkim=pass header.i=@paypal.com [6] header.s=pp-dkim1 header.b=i5V5Jd8P; spf=pass (google.com [4]: domain of serv...@paypal.com designates 66.211.170.89 as permitted sender) smtp.mailfrom=serv...@paypal.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com [6] Return-Path: Received: from mx1.phx.paypal.com [7] (mx3.phx.paypal.com [8]. [66.211.170.89]) by mx.google.com [5] with ESMTPS id c5-20020a655a8500b0044fb332e9c2si4180181pgt.560.2022.11.18.06.23.32 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Nov 2022 06:23:32 -0800 (PST) Received-SPF: pass (google.com [4]: domain of serv...@paypal.com designates 66.211.170.89 as permitted sender) client-ip=66.211.170.89; Authentication-Results: mx.google.com [9]; dkim=pass header.i=@paypal.com [10] header.s=pp-dkim1 header.b=i5V5Jd8P; spf=pass (google.com [11]: domain of serv...@paypal.com designates 66.211.170.89 as permitted sender) smtp.mailfrom=serv...@paypal.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com [10] DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com [10]; s=pp-dkim1; c=relaxed/relaxed; q=dns/txt; i=@paypal.com [10]; t=1668781410; h=From:From:Subject:Date:To:MIME-Version:Content-Type; bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=; b=i5V5Jd8PU85hThj/qbYYNVtrAe9utMx13ls4RqO/wxfIUwhUDUQ0jzygOkTfY88K BE74YiE8NsQGHdn4tMuGpInCw+7bnGFPBmOrlk22QztSUjqPH80z6lDtI7NrPpF6 RYaiNevk4cJU4eEXXyr6fIT1fdcDwFdL4WErZ0w0KLpgYwd7dnwgqDrgvDWNJQWd wzgmA+qZ+9UUrDCsv/h3JCmWBoJaFs3Eaph019ifvg2hLCvZ6Zo3iEqE8aLFQx3b PDgFKnpTxxI+E1HaIpZJGQwpSI2q7TYrSKvwEBwko9OFXkWe9zlngcE/Km17TlpB 0ujZJGDU7e4EtiOBfTM96g==; Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="UTF-8" Date: Fri, 18 Nov 2022 06:23:30 -0800 Message-ID: <65.AC.09725.26597736@ccg01mail05> X-PP-REQUESTED-TIME: 1668781403501 X-PP-Email-transmission-Id: 917850f8-674c-11ed-96b4-3cecef6afc2b PP-Correlation-Id: f349957836b68 Subject: Invoice from Walmart
Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning
This .. is what I wanted to see. Did it really go to you, or did it stop off somewhere else first? To: zachery Rose It does appear that it went direct, so my initial theory is off I guess. Aloha, Michael. -- Michael J Wise Microsoft Corporation| Spam Analysis "Your Spam Specimen Has Been Processed." Open a ticket for Hotmail<http://go.microsoft.com/fwlink/?LinkID=614866> ? From: mailop On Behalf Of Zach Rose via mailop Sent: Friday, November 18, 2022 11:38 AM Cc: mailop@mailop.org Subject: Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning Yeah, that's my theory at the moment, very likely that the call is coming from inside the house, but they didn't find the person who made the call before it was made. Delivered-To: REDACTED Received: by 2002:a05:640c:1b81:b0:190:7afb:ee7a with SMTP id r1csp516216eiw; Fri, 18 Nov 2022 06:23:32 -0800 (PST) X-Google-Smtp-Source: AA0mqf6dcoQaNhG4JYaaq7jvwEAJxfF8XCQ2Zy1qPt4mGssaSyPzrvU0HsohJxkBvLOIjhuKLb6N X-Received: by 2002:a65:67d1:0:b0:476:87ad:9d78 with SMTP id b17-20020a6567d100b0047687ad9d78mr6785903pgs.169.1668781412334; Fri, 18 Nov 2022 06:23:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668781412; cv=none; d=google.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C=arfXbPGIhcNvczxMaK2yY5%2FdBDJDnpIj7%2FhoXJH4ZoA%3D=0>; s=arc-20160816; b=U4pbrfCYSxjulk8kCNLer1j7TfaCaowzf2yDYMqeQMVmG4g/JvAXzf0m4serzWoqTi OBEY9TrwfM2j3yQssfS8OMOnWmBP+pO7KYBmg67sBb57BdZlx/+txIylik9rNKuyXsEh O5+LN63Y1RqiSPLK44tgV3uHSeYS5n+qE0gJHgS1lojzvH/tEkxESiQHix+K7sWYnBUt EXjoD4UKa4x1WGOsOPsb64AYM/AMs2TImhoZCqg+tT2Otsn1/Hz34iMozy9tR0yBB15q +Eq4bNx9gjV8EpetyAjAQF7XHwWknzhig/MtiVy76GwNuCpUxd8yW+Bw3/fwTtBL6zl6 QFYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C=arfXbPGIhcNvczxMaK2yY5%2FdBDJDnpIj7%2FhoXJH4ZoA%3D=0>; s=arc-20160816; h=amq-delivery-message-id:mime-version:from:to:subject :pp-correlation-id:message-id:date:content-transfer-encoding :dkim-signature; bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=; b=PbkHny3v4CR7wqQUcdh8f9PRFBMO+7dUlCVLzG9d8uDG0Uc+4jNqlkRB5chwPq1AUw QG3rN1n+lpU1t/MEz0fnZ2k1Rwzrr0j/2L0fHhhX0eJ8UheOHbcVNDSF1hjDfwPayN43 ggWon6WA5mEYJ6jTPt5ODvSC0shj5SrQBq2C57tCG4WOjWGK63UhilfiZS/GgpoyzgvG UItaCRQKijOkG9k8bNub0rZ77LEdRoCK6RaEe6mhKmTv0doesmgdyhlb8+1e8V8Uvy7T tqhqfvqUyzVOgL5HmUZIjNl/XkNXA966EGTLfDqf1DWDsf0LRjpZpJiJViixPJ63UMKA /azQ== ARC-Authentication-Results: i=1; mx.google.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmx.google.com%2F=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C=sCTMRpUEXlwJAmJZh0XolMBLwQuZfhmqk2yrQjA9Q2Q%3D=0>; dkim=pass header.i=@paypal.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpaypal.com%2F=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C=09574BVpNgKnTl7HLGX%2B02jBDctRQf0g4qjhKS7Vs0M%3D=0> header.s=pp-dkim1 header.b=i5V5Jd8P; spf=pass (google.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C=arfXbPGIhcNvczxMaK2yY5%2FdBDJDnpIj7%2FhoXJH4ZoA%3D=0>: domain of serv...@paypal.com<mailto:serv...@paypal.com> designates 66.211.170.89 as permitted sender) smtp.mailfrom=serv...@paypal.com<mailto:serv...@paypal.com>; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpaypal.com%2F=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiL
Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning
Hi Michael, I've seen the raw email; it did come from PayPal. PayPal needs to get better at recognizing brand images so that this kind of impersonation is more difficult on their platform. No doubt they are already working on that. Ken On Fri, Nov 18, 2022 at 11:32 AM Michael Wise via mailop wrote: > > > Please share the headers; pictures are not forensic evidence. > > We’ve seen similar things, want to see if it’s the same issue. > > > > Hint: it may have really come from PayPal. > > > > Aloha, > > Michael. > > -- > > *Michael J Wise* > Microsoft Corporation| Spam Analysis > > "Your Spam Specimen Has Been Processed." > > Open a ticket for Hotmail <http://go.microsoft.com/fwlink/?LinkID=614866> > ? > > > > *From:* mailop *On Behalf Of *Zach Rose via > mailop > *Sent:* Friday, November 18, 2022 7:10 AM > *To:* mailop@mailop.org > *Subject:* [EXTERNAL] [mailop] Really good paypal phishing email this > morning > > > > https://www.screencast.com/t/dNPpByTSjrq > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.screencast.com%2Ft%2FdNPpByTSjrq=05%7C01%7Cmichael.wise%40microsoft.com%7Cb8ffa5abe5214b8c37f608dac977757b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638043812173760083%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=SxM5MZ4z3n9nX0eeQAS786bwsB2weMvTeKk0M1TkwIE%3D=0> > > > > I rarely use paypal, if ever, and haven't shopped with Walmart in over a > decade, but I can see how this would fool a lot of people. Passed > DKIM/SPF/DMARC, and the code of the email itself referenced their own > static file CDN, so this feels like a scam account internally rather than a > spoofed email. > > > > > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > -- Ken Simpson CEO, MailChannels <https://www.mailchannels.com/?utm_source=Email%20Signature_medium=Ken%20Simpson_campaign=Website> Facebook <http://bit.ly/2dnoP3K> | Twitter <http://bit.ly/2ehoWni> | LinkedIn <http://bit.ly/2dw87lU> | Help Center <https://mailchannels.zendesk.com/hc/en-us?utm_source=Email%20Signature_medium=Ken%20Simpson_campaign=Help%20Center> Our latest case study video: watch here! <https://www.youtube.com/watch?v=psb41xDIL9k> ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning
Yeah, that's my theory at the moment, very likely that the call is coming from inside the house, but they didn't find the person who made the call before it was made. Delivered-To: REDACTED Received: by 2002:a05:640c:1b81:b0:190:7afb:ee7a with SMTP id r1csp516216eiw; Fri, 18 Nov 2022 06:23:32 -0800 (PST) X-Google-Smtp-Source: AA0mqf6dcoQaNhG4JYaaq7jvwEAJxfF8XCQ2Zy1qPt4mGssaSyPzrvU0HsohJxkBvLOIjhuKLb6N X-Received: by 2002:a65:67d1:0:b0:476:87ad:9d78 with SMTP id b17-20020a6567d100b0047687ad9d78mr6785903pgs.169.1668781412334; Fri, 18 Nov 2022 06:23:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668781412; cv=none; d=google.com; s=arc-20160816; b=U4pbrfCYSxjulk8kCNLer1j7TfaCaowzf2yDYMqeQMVmG4g/JvAXzf0m4serzWoqTi OBEY9TrwfM2j3yQssfS8OMOnWmBP+pO7KYBmg67sBb57BdZlx/+txIylik9rNKuyXsEh O5+LN63Y1RqiSPLK44tgV3uHSeYS5n+qE0gJHgS1lojzvH/tEkxESiQHix+K7sWYnBUt EXjoD4UKa4x1WGOsOPsb64AYM/AMs2TImhoZCqg+tT2Otsn1/Hz34iMozy9tR0yBB15q +Eq4bNx9gjV8EpetyAjAQF7XHwWknzhig/MtiVy76GwNuCpUxd8yW+Bw3/fwTtBL6zl6 QFYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=amq-delivery-message-id:mime-version:from:to:subject :pp-correlation-id:message-id:date:content-transfer-encoding :dkim-signature; bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=; b=PbkHny3v4CR7wqQUcdh8f9PRFBMO+7dUlCVLzG9d8uDG0Uc+4jNqlkRB5chwPq1AUw QG3rN1n+lpU1t/MEz0fnZ2k1Rwzrr0j/2L0fHhhX0eJ8UheOHbcVNDSF1hjDfwPayN43 ggWon6WA5mEYJ6jTPt5ODvSC0shj5SrQBq2C57tCG4WOjWGK63UhilfiZS/GgpoyzgvG UItaCRQKijOkG9k8bNub0rZ77LEdRoCK6RaEe6mhKmTv0doesmgdyhlb8+1e8V8Uvy7T tqhqfvqUyzVOgL5HmUZIjNl/XkNXA966EGTLfDqf1DWDsf0LRjpZpJiJViixPJ63UMKA /azQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paypal.com header.s=pp-dkim1 header.b=i5V5Jd8P; spf=pass (google.com: domain of serv...@paypal.com designates 66.211.170.89 as permitted sender) smtp.mailfrom=serv...@paypal.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com Return-Path: Received: from mx1.phx.paypal.com (mx3.phx.paypal.com. [66.211.170.89]) by mx.google.com with ESMTPS id c5-20020a655a8500b0044fb332e9c2si4180181pgt.560.2022.11.18.06.23.32 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Nov 2022 06:23:32 -0800 (PST) Received-SPF: pass (google.com: domain of serv...@paypal.com designates 66.211.170.89 as permitted sender) client-ip=66.211.170.89; Authentication-Results: mx.google.com; dkim=pass header.i=@paypal.com header.s=pp-dkim1 header.b=i5V5Jd8P; spf=pass (google.com: domain of serv...@paypal.com designates 66.211.170.89 as permitted sender) smtp.mailfrom=serv...@paypal.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; c=relaxed/relaxed; q=dns/txt; i=@paypal.com; t=1668781410; h=From:From:Subject:Date:To:MIME-Version:Content-Type; bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=; b=i5V5Jd8PU85hThj/qbYYNVtrAe9utMx13ls4RqO/wxfIUwhUDUQ0jzygOkTfY88K BE74YiE8NsQGHdn4tMuGpInCw+7bnGFPBmOrlk22QztSUjqPH80z6lDtI7NrPpF6 RYaiNevk4cJU4eEXXyr6fIT1fdcDwFdL4WErZ0w0KLpgYwd7dnwgqDrgvDWNJQWd wzgmA+qZ+9UUrDCsv/h3JCmWBoJaFs3Eaph019ifvg2hLCvZ6Zo3iEqE8aLFQx3b PDgFKnpTxxI+E1HaIpZJGQwpSI2q7TYrSKvwEBwko9OFXkWe9zlngcE/Km17TlpB 0ujZJGDU7e4EtiOBfTM96g==; Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="UTF-8" Date: Fri, 18 Nov 2022 06:23:30 -0800 Message-ID: <65.AC.09725.26597736@ccg01mail05> X-PP-REQUESTED-TIME: 1668781403501 X-PP-Email-transmission-Id: 917850f8-674c-11ed-96b4-3cecef6afc2b PP-Correlation-Id: f349957836b68 Subject: Invoice from Walmart (0067) X-MaxCode-Template: RT000238 To: zachery Rose From: "serv...@paypal.com" X-Email-Type-Id: RT000238 MIME-Version: 1.0 X-PP-Priority: 0-none-true AMQ-Delivery-Message-Id: nullval X-XPT-XSL-Name: nullval On Fri, Nov 18, 2022 at 1:44 PM Michael Wise wrote: > > > Please share the headers; pictures are not forensic evidence. > > We’ve seen similar things, want to see if it’s the same issue. > > > > Hint: it may have really come from PayPal. > > > > Aloha, > > Michael. > > -- > > *Michael J Wise* > Microsoft Corporation| Spam Analysis > > "Your Spam Specimen Has Been Processed." > > Open a ticket for Hotmail <http://go.microsoft.com/fwlink/?LinkID=614866> > ? > > > > *From:* mailop *On Behalf Of *Zach Rose via > mailop > *Sent:* Friday, November 18, 2022 7:10 AM > *To:* mailop@mailop.org > *Subject:* [EXTERNAL] [mailop] Really good paypal phishing email this > morning > > > > https://www.screencast.com/t/dNPpByTSjrq > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.screencast.com%2Ft
Re: [mailop] [EXTERNAL] Really good paypal phishing email this morning
Please share the headers; pictures are not forensic evidence. We've seen similar things, want to see if it's the same issue. Hint: it may have really come from PayPal. Aloha, Michael. -- Michael J Wise Microsoft Corporation| Spam Analysis "Your Spam Specimen Has Been Processed." Open a ticket for Hotmail<http://go.microsoft.com/fwlink/?LinkID=614866> ? From: mailop On Behalf Of Zach Rose via mailop Sent: Friday, November 18, 2022 7:10 AM To: mailop@mailop.org Subject: [EXTERNAL] [mailop] Really good paypal phishing email this morning https://www.screencast.com/t/dNPpByTSjrq<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.screencast.com%2Ft%2FdNPpByTSjrq=05%7C01%7Cmichael.wise%40microsoft.com%7Cb8ffa5abe5214b8c37f608dac977757b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638043812173760083%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=SxM5MZ4z3n9nX0eeQAS786bwsB2weMvTeKk0M1TkwIE%3D=0> I rarely use paypal, if ever, and haven't shopped with Walmart in over a decade, but I can see how this would fool a lot of people. Passed DKIM/SPF/DMARC, and the code of the email itself referenced their own static file CDN, so this feels like a scam account internally rather than a spoofed email. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop