DKIM Replay Attacks Target Apple & PayPal Invoice Hackers Exploit

The cybersecurity threat landscape continues its rapid evolution, moving far beyond readily identifiable, poorly written phishing emails. Modern attackers increasingly deploy sophisticated methods, exploiting trusted digital infrastructure to achieve their objectives.

Attackers are now exploiting legitimate business workflows within widely used platforms, effectively turning reputable services into unwitting accomplices for financial fraud.

This strategic shift makes malicious communications significantly harder for traditional security filters to detect, as the emails originate from verified, high-reputation domains rather than spoofed addresses, leaving end-users vulnerable to deception.

The core of this strategy involves manipulating the standard invoicing features of services like PayPal and Apple.

Bad actors create legitimate accounts and generate invoices or dispute notifications, inserting fraudulent contact information—specifically scam phone numbers—into user-controlled fields like “seller notes.”

Since these messages are generated by the platforms themselves, they carry valid digital signatures, making them appear completely benign to automated filters.

Following the emergence of these tactics, Kaseya analysts identified that this specific malware campaign relies heavily on the trust users place in familiar brand notifications to bypass scrutiny.

This discovery highlights a critical gap in email security where authentication protocols confirm the sender’s identity but cannot verify the safety of the content itself.

The attackers do not need to compromise the vendors; they simply misuse features provided to legitimate users to construct an authentic-looking trap.

The Mechanics of DKIM Replay Evasion

The technique, known formally as a DKIM replay attack, capitalizes on the specific way email authentication protocols function to validate sender identity.

Once the attacker generates a malicious invoice containing their scam number, they send it to their own email address first.

Since the email comes directly from a vendor like PayPal, it receives a valid DomainKeys Identified Mail (DKIM) signature.

The attacker then forwards this exact email to thousands of potential victims using their own lists.

Because the original cryptographic signature covers the message body and headers, it remains valid even after forwarding.

This allows the malicious email to pass Domain-based Message Authentication, Reporting, and Conformance (DMARC) checks, landing directly in the victim’s inbox without triggering warnings.

The recipient sees a valid email from addresses like “service@paypal[.]com,” but the content directs them to call a fraudulent support number to harvest sensitive financial data.

To defend against these threats, security teams should configure email gateways to inspect the “To” header for mismatches between the envelope recipient and the visible header.

Additionally, organizations must train users to remain skeptical of unsolicited invoices and verify claims by logging directly into official portals rather than calling phone numbers provided in email notes.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.