Basically, you go here:
https://www.paypal.com/invoice/s/manage
Click the gear symbol, Business Information, fill out what you want and
add a logo. Then click Save, create an invoice for someone, and PayPal
will send it to them. There's not much of anything that any of us can do
to filter it without risking false positives, because we'll never have
any consistent idea of what's real and fake when it all comes from such
a high reputation sender using a feature that we don't necessarily want
to block recipients from being able to use.
On 2022-11-18 15:30, Michael Wise via mailop wrote:
This .. is what I wanted to see.
Did it really go to you, or did it stop off somewhere else first?
To: zachery Rose <REDACTED>
It does appear that it went direct, so my initial theory is off I
guess.
Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Open a ticket for Hotmail [3] ?
From: mailop <[email protected]> On Behalf Of Zach Rose via
mailop
Sent: Friday, November 18, 2022 11:38 AM
Cc: [email protected]
Subject: Re: [mailop] [EXTERNAL] Really good paypal phishing email
this morning
Yeah, that's my theory at the moment, very likely that the call is
coming from inside the house, but they didn't find the person who made
the call before it was made.
Delivered-To: REDACTED
Received: by 2002:a05:640c:1b81:b0:190:7afb:ee7a with SMTP id
r1csp516216eiw;
Fri, 18 Nov 2022 06:23:32 -0800 (PST)
X-Google-Smtp-Source:
AA0mqf6dcoQaNhG4JYaaq7jvwEAJxfF8XCQ2Zy1qPt4mGssaSyPzrvU0HsohJxkBvLOIjhuKLb6N
X-Received: by 2002:a65:67d1:0:b0:476:87ad:9d78 with SMTP id
b17-20020a6567d1000000b0047687ad9d78mr6785903pgs.169.1668781412334;
Fri, 18 Nov 2022 06:23:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1668781412; cv=none;
d=google.com [4]; s=arc-20160816;
b=U4pbrfCYSxjulk8kCNLer1j7TfaCaowzf2yDYMqeQMVmG4g/JvAXzf0m4serzWoqTi
OBEY9TrwfM2j3yQssfS8OMOnWmBP+pO7KYBmg67sBb57BdZlx/+txIylik9rNKuyXsEh
O5+LN63Y1RqiSPLK44tgV3uHSeYS5n+qE0gJHgS1lojzvH/tEkxESiQHix+K7sWYnBUt
EXjoD4UKa4x1WGOsOPsb64AYM/AMs2TImhoZCqg+tT2Otsn1/Hz34iMozy9tR0yBB15q
+Eq4bNx9gjV8EpetyAjAQF7XHwWknzhig/MtiVy76GwNuCpUxd8yW+Bw3/fwTtBL6zl6
QFYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com [4]; s=arc-20160816;
h=amq-delivery-message-id:mime-version:from:to:subject
:pp-correlation-id:message-id:date:content-transfer-encoding
:dkim-signature;
bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=;
b=PbkHny3v4CR7wqQUcdh8f9PRFBMO+7dUlCVLzG9d8uDG0Uc+4jNqlkRB5chwPq1AUw
QG3rN1n+lpU1t/MEz0fnZ2k1Rwzrr0j/2L0fHhhX0eJ8UheOHbcVNDSF1hjDfwPayN43
ggWon6WA5mEYJ6jTPt5ODvSC0shj5SrQBq2C57tCG4WOjWGK63UhilfiZS/GgpoyzgvG
UItaCRQKijOkG9k8bNub0rZ77LEdRoCK6RaEe6mhKmTv0doesmgdyhlb8+1e8V8Uvy7T
tqhqfvqUyzVOgL5HmUZIjNl/XkNXA966EGTLfDqf1DWDsf0LRjpZpJiJViixPJ63UMKA
/azQ==
ARC-Authentication-Results: i=1; mx.google.com [5];
dkim=pass [email protected] [6] header.s=pp-dkim1
header.b=i5V5Jd8P;
spf=pass (google.com [4]: domain of [email protected]
designates 66.211.170.89 as permitted sender)
[email protected];
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
[6]
Return-Path: <[email protected]>
Received: from mx1.phx.paypal.com [7] (mx3.phx.paypal.com [8].
[66.211.170.89])
by mx.google.com [5] with ESMTPS id
c5-20020a655a85000000b0044fb332e9c2si4180181pgt.560.2022.11.18.06.23.32
for <REDACTED>
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256
bits=128/128);
Fri, 18 Nov 2022 06:23:32 -0800 (PST)
Received-SPF: pass (google.com [4]: domain of [email protected]
designates 66.211.170.89 as permitted sender) client-ip=66.211.170.89;
Authentication-Results: mx.google.com [9];
dkim=pass [email protected] [10] header.s=pp-dkim1
header.b=i5V5Jd8P;
spf=pass (google.com [11]: domain of [email protected]
designates 66.211.170.89 as permitted sender)
[email protected];
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
[10]
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com [10]; s=pp-dkim1;
c=relaxed/relaxed;
q=dns/txt; [email protected] [10]; t=1668781410;
h=From:From:Subject:Date:To:MIME-Version:Content-Type;
bh=+ooJ/KHJ7NcHSktaVA2Efxv2wUuyyzgRC9OcH8lTKPI=;
b=i5V5Jd8PU85hThj/qbYYNVtrAe9utMx13ls4RqO/wxfIUwhUDUQ0jzygOkTfY88K
BE74YiE8NsQGHdn4tMuGpInCw+7bnGFPBmOrlk22QztSUjqPH80z6lDtI7NrPpF6
RYaiNevk4cJU4eEXXyr6fIT1fdcDwFdL4WErZ0w0KLpgYwd7dnwgqDrgvDWNJQWd
wzgmA+qZ+9UUrDCsv/h3JCmWBoJaFs3Eaph019ifvg2hLCvZ6Zo3iEqE8aLFQx3b
PDgFKnpTxxI+E1HaIpZJGQwpSI2q7TYrSKvwEBwko9OFXkWe9zlngcE/Km17TlpB
0ujZJGDU7e4EtiOBfTM96g==;
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
Date: Fri, 18 Nov 2022 06:23:30 -0800
Message-ID: <65.AC.09725.26597736@ccg01mail05>
X-PP-REQUESTED-TIME: 1668781403501
X-PP-Email-transmission-Id: 917850f8-674c-11ed-96b4-3cecef6afc2b
PP-Correlation-Id: f349957836b68
Subject: Invoice from Walmart (0067)
X-MaxCode-Template: RT000238
To: zachery Rose <REDACTED>
From: "[email protected]" <[email protected]>
X-Email-Type-Id: RT000238
MIME-Version: 1.0
X-PP-Priority: 0-none-true
AMQ-Delivery-Message-Id: nullval
X-XPT-XSL-Name: nullval
On Fri, Nov 18, 2022 at 1:44 PM Michael Wise
<[email protected]> wrote:
Please share the headers; pictures are not forensic evidence.
We've seen similar things, want to see if it's the same issue.
Hint: it may have really come from PayPal.
Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Open a ticket for Hotmail [1] ?
From: mailop <[email protected]> On Behalf Of Zach Rose via
mailop
Sent: Friday, November 18, 2022 7:10 AM
To: [email protected]
Subject: [EXTERNAL] [mailop] Really good paypal phishing email this
morning
https://www.screencast.com/t/dNPpByTSjrq [2]
I rarely use paypal, if ever, and haven't shopped with Walmart in
over a decade, but I can see how this would fool a lot of people.
Passed DKIM/SPF/DMARC, and the code of the email itself referenced
their own static file CDN, so this feels like a scam account
internally rather than a spoofed email.
--
All the best,
Zach Rose - StitchedIn
Links:
------
[1]
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkID%3D614866&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=xDNpEMrmXYKeC3rjF5%2FYzbQpRUZSiCBtl%2B2hThB2k%2Bg%3D&reserved=0
[2]
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.screencast.com%2Ft%2FdNPpByTSjrq&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=Owt4cCwSw5hZfMYpeAzCKxg8r%2BwjtEK%2BkUExq6o8XcQ%3D&reserved=0
[3] http://go.microsoft.com/fwlink/?LinkID=614866
[4]
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=arfXbPGIhcNvczxMaK2yY5%2FdBDJDnpIj7%2FhoXJH4ZoA%3D&reserved=0
[5]
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmx.google.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=sCTMRpUEXlwJAmJZh0XolMBLwQuZfhmqk2yrQjA9Q2Q%3D&reserved=0
[6]
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpaypal.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=09574BVpNgKnTl7HLGX%2B02jBDctRQf0g4qjhKS7Vs0M%3D&reserved=0
[7]
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmx1.phx.paypal.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=6%2F3UDimZ9sAeZIpRp%2FB5jlnIJ2rmRtg78iPFjR38yEA%3D&reserved=0
[8]
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmx3.phx.paypal.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427203034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=7tN9xdDY2iIdgWZx2eYoGCkp4lXC2EFwFJLHGRVXGXg%3D&reserved=0
[9]
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmx.google.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=dusUmT74RXLnlnrUBTo3siTgR%2BHEN0%2FOXkrMEmfHL6c%3D&reserved=0
[10]
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpaypal.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=7YNmu7u9TwooCL3VBmywMRai7PRo7d9KAIHhH8xqxrQ%3D&reserved=0
[11]
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F&data=05%7C01%7Cmichael.wise%40microsoft.com%7Cbb7586c5e56141f7636f08dac9a675ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638044014427359251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=f6QDYTRF1fDwdfJvEUXZYxZc8ScKgif2dp3XchUOJnE%3D&reserved=0
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
