A new phishing campaign relies on legitimate links to trick victims into logging in and giving attackers control of their PayPal accounts, Fortinet warns.

The phishing emails inform the intended victim of a payment request, providing legitimate-looking details, such as an amount and transaction ID, and even contain warnings that one would typically find in an email from PayPal.

Furthermore, the messages come from a genuine PayPal address and contain a genuine URL, which allows them to pass security checks and makes them appear legitimate.

When the victim clicks on the link, they are taken to a legitimate PayPal login page that shows a request for payment, which could scare a panicked person into entering their credentials to learn more about the transaction, Fortinet says.

If the user attempts to log in, however, the page automatically links the victim’s PayPal account with the email address of the phisher, which is actually displayed in the phishing email’s ‘To:’ field, and which in the instance analyzed by Fortinet was ‘Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com’.

According to the security firm, a threat actor appears to have registered a Microsoft 365 domain, likely a test one, which is free for the first three months, and then created a Distribution List containing the email addresses of their intended victims.

“On the PayPal web portal, they simply request the money and add the distribution list as the address,” Fortinet explains.

Next, the request is distributed to the victims and the Microsoft 365 Sender Rewrite Scheme rewrites the sender, allowing the emails to pass the SPF/DKIM/DMARC checks.

Next, as soon as the victim clicks on the link and attempts to log in to their account, the attacker’s email address is linked to the victim’s PayPal account.

“The scammer can then take control of the victim’s PayPal account—a neat trick. It’s so neat, in fact, that it would sneak past even PayPal’s own phishing check instructions,” Fortinet explains.

Because everything in the phishing emails seems perfectly valid and because the attack does not use traditional phishing methods, users can protect themselves only by being wary of unsolicited emails, regardless of whether they look genuine or not.

“This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves—and your organization—safe,” Fortinet notes.

Related: Defense Giant General Dynamics Says Employees Targeted in Phishing Attack

Related: Microsoft Disrupts ONNX Phishing Service, Names Its Operator

Related: FireScam Android Malware Packs Infostealer, Spyware Capabilities

Related: Rising Tides: Wendy Nather on Resilience, Leadership, and Building a Stronger Cybersecurity Community