PayPal Invoice Phishing: Attackers Bypass DKIM and ARC Validation to Deploy Callback Scams at Scale

A sophisticated callback phishing campaign is exploiting legitimate PayPal invoice infrastructure to bypass email authentication controls and trick recipients into calling attacker-controlled phone numbers. The campaign, observed by security researchers, leverages PayPal's own billing system to generate invoices that pass standard email validation checks, making detection significantly harder for automated filters.

The attack chain begins when threat actors create PayPal invoices through the platform's standard interface. These invoices are then distributed using Microsoft Outlook distribution lists to addresses hosted on dedicated criminal-owned domains. These so-called "exploder" addresses automatically redistribute incoming messages to large numbers of pre-configured email recipients. The technical consequence is severe: every message arrives with a valid DKIM signature from PayPal, passes sender authentication checks, and receives an ARC seal from Outlook—three layers of legitimacy that most security filters trust implicitly.

For recipients, the invoices appear fully authenticated and credible. Observed subject lines reference phony transactions with instructions to call callback numbers, such as "Invoice from Question ! Get in touch, 8OO_596_O886. PPL (TRX-#1234)." The phishing hook occurs during the follow-up call, where attackers attempt to extract sensitive information or financial credentials. Organizations relying on DKIM/SPF validation and ARC sealing for email security should treat PayPal-branded invoices with heightened scrutiny, particularly those containing direct callback instructions, as the authentication chain provides no protection against abuse of the legitimate billing platform itself.