An interestingly-worded campaign has bypassed ATP scanners and made it into inboxes.

It's a classic credential harvesting scheme. What's different is that the wording of the email suggests that the end-user has done something wrong. 

Here's the email:

 

 

As they write, it's about a transaction on a PayPal account. It notes that there's a transcation the scammers don't recognize, and they don't know why they paid the end-user nearly $2,000.

Of course, when you inspect the URL, you'll see it's not legitimate. But on first inspection, the user sees a familiar brand and the address is spoofed from a vendor that the victim has communicated with in the past. 

Subscribe to Our Attack Briefs for More Research