Bypassing Security: Cybercriminals Abuse PayPal and Apple Infrastructure

Traditional email security filters are designed to spot "red flags": mismatched sender domains, suspicious attachments, and low-reputation links. However, a new wave of attacks in early 2026 has rendered these defenses nearly obsolete. By abusing the legitimate notification systems of PayPal and Apple, cybercriminals are sending malicious payloads directly through the vendors' own verified servers.

Because these emails carry valid DKIM (DomainKeys Identified Mail) signatures and originate from trusted IP addresses (e.g., service@paypal.com), they pass nearly every security check, landing directly in the victim's primary inbox with a sense of undisputed authority.

The "Legitimate Sender" Loophole

The core of this attack is not technical exploitation of a software bug, but rather the exploitation of trust-based workflows. Attackers utilize features meant for legitimate business communication to inject their own scam instructions.

1. The PayPal Invoice/Dispute Abuse

Criminals create a free PayPal account and utilize the "Create Invoice" or "Open Dispute" feature. They manipulate the "Seller Name" or "Notes" fields-which allow for a high character count and minimal validation-to include a fraudulent support message.

• The Payload: "Unauthorized charge of $499.00 detected. To cancel this transaction, call Apple Support at +1 (800) XXX-XXXX."
• The Delivery: PayPal’s system automatically generates a notification email to the victim. Since PayPal is sending it, the email is 100% authentic to any security filter.

2. The Apple "ConnectToHub" & Subscription Abuse

Similar to the PayPal method, attackers use Apple's App Store billing system. By subscribing to a legitimate app (often using a stolen credit card) and then "modifying" the account name to a scam message, they trigger an automated Apple receipt email. These receipts carry the weight of the Apple brand, making the "Urgent Security Warning" inside the note field feel terrifyingly real.

Anatomy of a "DKIM Replay" Attack

Advanced threat actors have been observed using a technique called DKIM Replay. This allows them to take a legitimate, signed email from a vendor and "replay" it to thousands of other victims by routing it through their own malicious infrastructure while keeping the original signature intact.

The End Game: Vishing and RMM Abuse

Unlike old-school phishing that aimed for a simple password, these 2026 campaigns are multi-stage. Once a victim calls the "support number" listed in the legitimate PayPal email:

• Social Engineering: A professional-sounding agent (often using AI voice cloning) builds rapport.
• RMM Deployment: The victim is convinced to download "Support Software" like AnyDesk or LogMeIn Rescue to "secure" their account.
• Corporate Pivot: If the victim is on a work laptop, the attacker uses the remote access to move laterally into the corporate network, often deploying ransomware or stealing session tokens.

Defensive Recommendations

"If the email is real, but the content is fake, your security filter won't save you. Only skepticism will." - INKY Security Research, Feb 2026.

• Verify the "To" Header: In DKIM replay attacks, the "To" field often shows a distribution list or the attacker’s own email, even though you received it.
• Log In Directly: Never call a phone number provided in an email. Always go to paypal.com or appleid.apple.com manually to check for notifications.
• Report Infrastructure Abuse: Forward these emails to phishing@paypal.com or reportphishing@apple.com to help them identify and block the specific accounts generating the invoices.