Penka Hristovska
Published on: February 26, 2025 Senior Editor

A new phishing scam is exploiting PayPal’s address change function to bypass server-side spam filters. The scam emails claim a new address has been added to the victim’s account and that a purchase of a MacBook M4 laptop has been completed.

“You added a new address. This is just a quick confirmation that you added an address in your PayPal account,” the email reads. “Confirmation: Your shipping address for the MacBook M4 Max 1 TB ($1098.95) has been changed. If you did not authorize this update, please reach out to PayPal at +1-888-668-2508′.”

When the victim calls, an automated recording pretends to be PayPal customer service, telling them to wait for a support representative. Once connected, the scammer will further scare the victim by claiming their account was compromised and then convince them to download software to “fix” the issue.

The scammer directs victims to visit a site like pplassist[.]com, where they are asked to enter a service code provided by the fake PayPal agent. This action will download malicious software, such as ConnectWise ScreenConnect, from sites like lokermy.numaduliton[.]icu. The scammer then encourages the victim to run the software, which allows them to take control of the victim’s computer.

The sender address “service@paypal.com” in these scam emails looks authentic, which makes the phishing attempt more convincing. Since the email appears to come from PayPal, it can bypass security measures like DKIM (DomainKeys Identified Mail) and spam filters that are designed to catch suspicious or fraudulent emails.

The phishing emails also mention “gift addresses,” a strategy used by the fraudsters who set up their own PayPal account with this type of address. By using the “Address 2” field in the email to include this “gift address,” the scammer can make the email appear more like an authentic PayPal message.

The fraudsters used another tactic to spread the phishing emails without being detected by security systems. The email headers showed that the messages were automatically forwarded to an email address linked to a Microsoft 365 account. This address is likely part of a mailing list that contains the email addresses of the intended targets for the phishing scam.

Since the emails were automatically forwarded through a recognized Microsoft 365 address, they bypassed common security filters that looked for suspicious patterns or known malicious sources. Security systems often trust emails sent from well-established platforms, so the use of this mailing list made phishing emails harder to detect.