The PayPal Invoice That Passed Every Check Because PayPal Actually Sent It

A PayPal invoice-cancellation phishing campaign used legitimately authenticated PayPal-sent emails (SPF/DKIM/DMARC passed) with all links pointing to PayPal pages, while the Reply-To header directed responses to a merchant domain controlled by the attacker; behavioral detection (IRONSCALES/Themis) flagged it and community validation confirmed phishing. The report provides IOCs ([email protected], [email protected], kissimmeenotarypublic.com, 173.0.84.6, d=paypal.com s=pp-dkim1) and recommends verifying Reply-To headers before replying to invoices.