Re: paypal fraud

[MX]

Isn’t this just a forwarded email from Office 365 using SRS? It would make sense that it pass DKIM in that case. If I understand the attack here they issue themselves an invoice from PayPal and set up an email forwarder, it’s an interesting scam. Someone correct me if you see it differently, I haven’t spent much time on it but I have seen a couple of these. Sent from my iPhone On Nov 6, 2024, at 8:02 PM, Alex <mysqlstud...@gmail.com> wrote:  Hi, I received a paypal scam invoice using paypal servers that passed DKIM and sent through paypal servers but has the return path of some other server after it went through paypal. Return-Path: <bounces+SRS=/OJZX=s...@cvoedukempen.be> Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates 66.211.170.93 as permitted sender) receiver=protection.outlook.com; client-ip=66.211.170.93; helo=mx9.phx.paypal.com; pr=C Received: from mx9.phx.paypal.com (66.211.170.93) by DU6PEPF0000A7E1.mail.protection.outlook.com (10.167.8.40) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8137.17 via Frontend Transport; Wed, 6 Nov 2024 16:03:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; c=relaxed/relaxed; q=dns/txt; i=@paypal.com; t=1730909010; h=From:From:Subject:Date:To:MIME-Version:Content-Type; From: "serv...@paypal.com" <serv...@paypal.com> To: billingdepartmen...@cvoedukempen.onmicrosoft.com Subject: Reminder: You've still got a money request It's intended for the victim to call the toll-free number to fake paypal immediately or they will be charged. Note from Berkshire Hathaway: Don't recognize the seller? Please contact PayPal Support Team immediately at .... If you have any issues, you can also contact +... (Toll Free). If you do not reach out, we will proceed with the transaction.   I tried the trick of first adding *@paypal.com to the welcomelist then blocking all of paypal.com, but it didn't work. Both were blocked. welcomelist_auth *@paypal.com blocklist_from *@paypal.com None of the KAM paypal rules are effective here, either. I can add the phone number and perhaps some body rules and the envelope sender, but is there a more durable way to block these?