top of page

Hybrid phishing: attacks from trusted domains

There are a few common indications of phishing emails — spelling and grammar errors, unusual subject lines, or a sender’s address with an unusual or incorrect domain — these are signs many users are aware of and prepared for.

As hackers continue to evolve and find new tactics to trick users into taking an action, some are finding a way around illegitimate sender addresses by sending phishing emails through websites with trusted domains. This allows the email to be sent from the trusted domain’s server and bypass authentication protocols while still including custom, malicious, content.

YouTube recently cautioned users about messages from after they found attackers using a legitimate video-sharing feature to send emails to users with a link to a Google Drive folder containing malware.

As I recently found out, some attackers are using PayPal too.

When I first got the email invoice (below) from PayPal saying I had an outstanding invoice for $516.99 sent from Coinbase, my first thought was that my PayPal account had been hacked.

After checking my accounts, changing my passwords and finding no relevant activity, I revisited the email. The message looked legitimate. I’d received emails from before and the email address and domain were the same as other PayPal emails I’d received.

Since I work in cybersecurity, I tried the other tricks I knew to detect a phishing attack, like hovering my cursor over the links to see if they started with “https,” and checking if the link previews looked like they’d go to legitimate-looking PayPal pages. Everything checked out.

Lucky for me, there were a few clear giveaways that it was a phishing attack. The text of the invoice was strange and the greeting was impersonal. Throughout the message there were inconsistencies, and some words were spelled incorrectly — weird for PayPal. Plus there was a phone number in the body of the message that didn’t match any phone number I could find for PayPal.

At this point, I knew it was a phishing message. I’d even searched for similar attacks and found several people who had received fake invoices like the one I received.

On Reddit, a user admitted to being fooled by the scam and calling the number in the seller's note. The person who answered the call told them they worked for “PayPal security” and that their account had been hacked and was “being used around the world”. They encouraged the user to download a remote desktop app and give them the access code so they could “help” solve the problem. The user ended the call, recognizing the scam.

PayPal’s Security Center answered a few other “is it a phish” questions I had, clarifying things like “emails from PayPal will always include the users’ first and last name” (not “dear recipient”), and that they urge users to avoid responding to any messages that encourages users to act urgently because of an account issue.

The PayPal Security page also asked users who received these attacks to forward the messages to for their records, so I forwarded the fake invoice to their team.

Now that this was a confirmed phishing attack, I wanted to find out how the attacker did it. Did they somehow access PayPal’s accounts and get access to Or maybe they found a way to use the site nefariously. Either way, I needed help figuring out the path the attacker took, so I shared the message with HacWare CTO Eric Hamer.

He had me check the “original email” details to see if the email had passed DKIM, SPF and DMARC authentication protocols - it did. Then we looked up the IP address of the sender to find it had come from a PayPal server in Utah. All signs still pointed to the message being sent from PayPal.

We decided to share the message with HacWare's CEO and former ethical hacker, Tiffany Ricks. She dug into the original email file, looking at the elements of the header. But again, everything there was legitimate.

Tiffany suggested we check if the attacker was actually using PayPal to send the message. I logged into my account and quickly discovered how easy it was to send an invoice to any email address anywhere. I could change the recipient's name to anything I wanted and add a custom text note to the body of the invoice.

This attacker didn’t know (or didn’t use) my name or any other personal details to help legitimize the message. But if they had, I would have been much more concerned about a potential breach. And if they’d fixed the spelling and grammar errors, it would have been even easier to convince me that it was a real invoice sent in error. I might have even called the “support” phone number in the message.

Attackers send these attacks because they can benefit from them in multiple ways. If the recipient decides the invoice looks real and pays it, the attacker gets the money. If the recipient decides the invoice is fake, the attacker hopes they’ll call the given phone number so they can validate the request and get the user to pay the invoice, share more personal info or give them remote access to their computer like the Reddit user from above was asked for.

So how do you protect yourself, your clients and their end users against these types of attacks?

Training and awareness are key to users recognizing and reporting these types of attacks. Here are a few questions you can ask if you’re unsure about a legitimate-appearing email:

  • Can you take the action externally? This attacker is attempting to circumvent any information verification by providing their own phone number inside the message. Always check the real website for a support phone number instead of calling a number given in an email.

  • Is the information verified on multiple sources? To verify this invoice, the recipient could check with PayPal and the invoice sender (in this case, Coinbase).

  • Was this interaction expected? In this example, if the recipient often makes these types of transactions the invoice could seem more legitimate, but there’s still reason to hesitate and consider if they remember making this purchase before taking quick action. If this is out of the ordinary, pausing to consider the other signs on this list is absolutely necessary.

Keeping your end users aware of the ever-evolving threat landscape can help them recognize and report these attacks in their own inboxes. Continuous education to train users on the common signs of phishing and how to be cautious with every email they receive — by pausing and verifying before taking action — can help protect your and your clients’ data.


Learn more about HacWare: MSP partners can decrease the likelihood that their end users will click on a phishing email by 60%. Let us educate your end users with automated, AI-driven phishing simulations and under three-minute micro-trainings to keep user attention and improve learning outcomes.

Learn more about our partner program and how we can support your MSP's growth!

bottom of page