An interestingly-worded campaign has bypassed ATP scanners and made it into inboxes.
It's a classic credential harvesting scheme. What's different is that the wording of the email suggests that the end-user has done something wrong.
Here's the email:
As they write, it's about a transaction on a PayPal account. It notes that there's a transcation the scammers don't recognize, and they don't know why they paid the end-user nearly $2,000.
Of course, when you inspect the URL, you'll see it's not legitimate. But on first inspection, the user sees a familiar brand and the address is spoofed from a vendor that the victim has communicated with in the past.