[rwmj]

As another data point: MSFT have some sort of open mail server/service called onmicrosoft.com which (in my experience anyway) is only being used to send out fraudulent paypal messages. Because it lets the spammer set the From to service@paypal.com and also contains valid DKIM etc, it sails past spam filtering. There are so many complaints about this on (real) paypal.com forums, but Microsoft are apparently unable to do anything about it.

[0x0]

I think I read somewhere that scammers set up an email distribution list / alias / forwarding from one something.onmicrosoft.com account to dozens of victims, and then they trigger a (real!) paypal email with that one something.onmicrosoft.com address as the recipient. So the email has a valid DKIM signature from paypal, then microsoft forwards that email to all the victims, which will still pass DKIM while amplifying the attack (and maybe boosted by microsoft's SPF reputation as well) to hit as many people as possible. Apparently the paypal emails are real but dangerous as they will allow the attacker to somehow take over the victim's account if they log in, as the "middleman" onmicrosoft.com alias then becomes associated with the account which was the original "to"-email from paypal. Something like that, at least.

[citrin_ru]

Messages pass DMARC because they originate at paypal servers (and have valid DKIM) but O365 abused to spread these messages and MS doing little to stop abuse.

[compass_copium]

Is there a legitimate reason for them to forward paypal emails? Why not just not let that happen under any circumstances?

[0x0]

Most email providers support mail forwarding and distribution lists, but maybe they should have added some sort of opt-in confirmation when adding recipients outside the local domain...?

[redundantly]

I imagine it's because PayPal uses azure in some capacity.

[singron]

If you use PayPal for your business, you might want the emails to go to a list for redundancy.

[hennell]

onmicrosoft is "on microsoft" and is used behind the 365 company workspace. I have a onmicrosoft email for a 365 developer account, and anyone who connects to our company via teams seems to get a "{original_email}@{company}.onmicrosoft.com" ID setup, so I assume they're probably using it for things behind the scenes which also needs to void DKIM or something.

Feels like just adding a direct "don't send as paypal, apple etc" rules would probably work though.

[mcny]

I use (redacted).on Microsoft.com tenant which is free of cost to me as a sandbox to learn about office 365 admin stuff. I don't work on it every day but it is nice to have this sandbox. I don't send spam or phishing emails. I don't send emails from this tenant at all to others, only to my own email addresses or to people I know for testing purposes.

[rwmj]

Presumably you don't send out emails appearing to come from service@paypal.com saying things like "Reminder: You've still got a money request", with an HTML body that looks exactly like Paypal but contains a fraudulent link and phone number, so you should be fine.

[mirashii]

Or, worse, I find that most of these are real links from real paypal.

https://www.fortinet.com/blog/threat-research/phish-free-pay...

[mcny]

No, I didn't. I did get those emails a lot on my university dot edu email. I understand there are legacy/compatibility challenges with the telephone infrastructure but you'd think this problem is entirely solvable with emails. :/

[brandonp0]

It is easily solvable. But it has to be implemented on the receiving side. Ask your university to put something in place!

[throwawwey]

This isn't really related to the parent comment, but I can't help myself from asking. I've been getting emails that look like they're from my own email address. They usually threaten to share my browser history unless I pay money. Has anyone else seen these kinds of scam emails? How can I stop them? I use two-factor authentication, so my account should be safe, but these emails still worry me. Any tips would be great!

[TonyTrapp]

If you are in control of the domain of your email address, enable SPF and DKIM for that domain, together with strict policies that mail servers should reject spoofed mails claiming to come from that domain. If your own mail server supports validating SPF and DKIM, you would no longer receive such forged mails, nor anyone else behind a mail server supporting SPF and DKIM.

If you aren't in control... just ignore it like any other spam mail.

[Avamander]

The thing that enforces the existence of either SPF or DKIM is called DMARC, setting that to "reject" or "quarantine" is the most critical step for preventing forgeries like that.

[kiliankoe]

E-Mail allows setting the From header to whatever you want. These mails won't have valid DKIM or SPF data because they're not sent through your mail server. There's nothing to worry about, it's just spam, your account isn't compromised (unless of course it is, and they're sending it through yours, but they likely wouldn't try to scam you like that then). Just one of the quirks of e-mail we have to live with.

[radicality]

Huh, interesting, I just saw something like that in my spam filter for my own domain. It looked like some kind of an email forward from onmicrosoft.com, with the original email spoofed from my own domain with an email that doesn’t even exist on my domain.

[Technetium]

Do not click the links or allow images to load, and you will remain safe. View the full raw email and look at the headers. Search who is registered for the domain in question. Contact their hosting provider.

[gs17]

Fortunately, it's still pretty easy to filter these out. No idea why PayPal is ignoring this issue (I forward them to phishing@paypal.com hoping something will happen).

[have-a-break]

Honestly i cant believe how much spam at Google gets through Gmail but they blocked my small startups emails from being delivered.

Funny enough if I stayed at Google another year I would have been lucky enough to fix it myself and make an actually decent spam blocker.

[delusional]

How would Microsoft forge a DKIM signature? It sounds more likely that it's just a shitty email from Paypal.

[bobince]

Yes, they're originated by PayPal, but collected by a different original recipient and from there sent on to the victim. The envelope-recipient is not part of the material signed by DKIM, so the signature remains valid.

The To: header _is_ part of the signed material so will list the original recipient not the victim — but the attacker sets the recipient name/address to something misleading like “Order Received” to obscure this, and sets the store name to some long text that will be misleading when templated into the PayPal invoice request mail text.

PayPal have long had a problem with failing to make untrusted supplied text clear in their communications, but this is an unusually convincing attack.

I don't know why they always use (compromised?) onmicrosoft subdomains in particular. In the samples I've seen they're getting an SPF softfail so it doesn't seem MS's relays are passing SPF for paypal (sendgrid's might...)

[kbolino]

It seems like it's time to revise DMARC so that it requires (or at least can be configured to require) both SPF and DKIM to pass.

[radlad]

I saw one of these emails too. It was sent by an onmicrosoft.com server, linked to a phishing site, but passed SPF/DKIM/DMARC for Paypal.

Microsoft obviously isn't "forging" it. It's valid: https://labs.guard.io/echospoofing-a-massive-phishing-campai...

[xprueg]

Here’s a CCC talk[1] which shows how you can send mails from other servers by „SMTP Smuggling“.

1: https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-...