Windows News
A sophisticated new phishing campaign is exploiting Microsoft 365's Sender Rewrite Scheme (SRS) feature to bypass email security measures and target PayPal users with convincing scam messages. Security researchers have identified this as one of the most advanced email-based attacks in recent months, leveraging legitimate Microsoft infrastructure to appear authentic.
How the SRS Exploit Works
Microsoft's Sender Rewrite Scheme is designed to handle email forwarding while preserving the original sender's address - a legitimate feature that's now being weaponized by attackers. Here's how the scam operates:
- Attackers compromise legitimate Microsoft 365 accounts
- They modify the email headers using SRS to make messages appear as PayPal security alerts
- The rewritten sender address shows '@paypal.com' while actually originating elsewhere
- Recipients see what appears to be a legitimate PayPal email in their inbox
The PayPal Phishing Angle
The campaign specifically targets PayPal users with messages claiming:
- Unusual login attempts
- Payment verification requests
- Account suspension warnings
Each message contains links to convincing but fake PayPal login pages designed to harvest credentials. What makes this particularly dangerous is that traditional email security solutions often whitelist Microsoft 365 forwarded messages.
Why This Attack is Effective
Several factors make this phishing method particularly successful:
- Email Authentication Bypass: The messages pass SPF, DKIM, and DMARC checks
- Trusted Infrastructure: Emails originate from actual Microsoft servers
- Visual Authenticity: The sender address appears exactly as '[email protected]'
- Timing: Attacks often occur during business hours when users are distracted
Detection and Prevention Measures
Security experts recommend these protective steps:
For Organizations:
- Implement additional SRS-specific email filtering rules
- Deploy advanced threat protection that analyzes message content
- Educate employees about the latest phishing techniques
For Individual Users:
- Always check the full email headers (not just the displayed sender)
- Never click links in unexpected security messages
- Use the official PayPal app to check account status
- Enable multi-factor authentication on all financial accounts
Microsoft's Response
Microsoft has acknowledged the issue and is working on updates to their SRS implementation. A spokesperson stated: "We're aware of this misuse of email forwarding features and are developing additional safeguards while recommending customers enable our advanced security protections."
The Bigger Picture
This attack highlights the ongoing cat-and-mouse game between security professionals and cybercriminals. As email providers implement new protections, attackers find innovative ways to bypass them. The exploitation of SRS demonstrates how even well-intentioned email features can become vulnerabilities when manipulated by sophisticated threat actors.
Security analysts predict we'll see more attacks leveraging legitimate cloud service features in 2024, making user education and layered security more critical than ever.