Cybercriminals are increasingly exploiting legitimate invoicing systems from major companies like Apple and PayPal in sophisticated DKIM replay attacks. This emerging threat bypasses traditional email security filters by leveraging the trust users place in familiar brand notifications. Hackers insert fraudulent contact information into seemingly valid invoices, directing unsuspecting victims to call scam phone numbers and divulge sensitive financial data.
These advanced phishing tactics, identified by Kaseya analysts, represent a significant evolution in cybercrime. Instead of attempting to spoof email addresses, attackers now misuse the inherent trust in established digital workflows. This strategy relies on the fact that while email authentication protocols like DKIM verify the sender’s identity, they cannot inherently validate the safety or legitimacy of the email’s content. Consequently, users are left vulnerable to deception, believing the malicious communications are sanctioned by trusted vendors.
The Mechanics of DKIM Replay Evasion
The core of this malicious campaign is the DKIM replay attack, a method that manipulates email authentication protocols. Attackers first create legitimate accounts on platforms like Apple or PayPal. They then generate invoices or dispute notifications using the platform’s built-in tools. Crucially, they insert their fraudulent phone numbers and other scam details into user-editable fields, such as the “seller notes” section of an invoice or the informational fields within a dispute notification. These fields are typically trusted as they are part of the legitimate platform’s communication flow.
Once the malicious invoice or notification is generated, the attacker sends it to their own email address. Because the email originates directly from a reputable service like PayPal or Apple, it receives a valid DomainKeys Identified Mail (DKIM) signature. This signature cryptographically verifies that the email was indeed sent by the claimed domain.
Following this initial step, the attacker forwards this original, digitally signed email to a broad list of potential victims. Because the DKIM signature covers the entire message, including the headers and body, it remains intact and valid even after being forwarded. This allows the malicious email to pass Domain-based Message Authentication, Reporting, and Conformance (DMARC) checks, which rely on DKIM verification to authenticate emails. As a result, the email bypasses security filters without triggering any warnings, appearing as a legitimate communication from services such as “[email protected]” or similar trusted Apple addresses.
The intended victim, seeing a familiar and seemingly official email, might then act on the instructions within. The email content directs them to call a scam phone number—often presented as a customer support line for an issue with their account or a recent purchase. When users call these numbers, they are then subjected to social engineering tactics designed to extract personal and financial information, leading to potential identity theft and financial loss. These tactics are particularly effective because they exploit the user’s trust in the brand and bypass typical phishing indicators.
To mitigate these sophisticated DKIM replay attacks, security teams are advised to implement more rigorous email gateway configurations. A critical step is to equip gateways with the capability to inspect the “To” header and identify mismatches between the envelope recipient (the actual destination address handled by mail servers) and the visible header recipient (what the user sees in their inbox). Such discrepancies can be an indicator of a forwarded or manipulated message.
Furthermore, comprehensive user education remains paramount. Organizations must continually train their employees and end-users to be skeptical of unsolicited invoices, even those appearing to originate from trusted companies. Verification of any suspicious claims or notifications should always be done by directly logging into official company websites or portals, rather than relying on contact information provided within an email, especially when that information prompts an immediate outbound call. This proactive approach can significantly reduce the success rate of these advanced fraud schemes.