In June, we wrote about how hackers were sending phishing emails directly from QuickBooks.

It worked like this: A hacker would create a free account in QuickBooks. They would create a spoofed invoice, either for Norton or Microsoft, and then send it to the user.

Since it’s created in QuickBooks, the email comes across as legitimate. Email scanners see a legitimate QuickBooks domain. Since QuickBooks is on most Allow Lists as a legitimate site, the email passes right through. We call this The Static Expressway. This refers to the practice of hackers utilizing websites that are on static Allow Lists to get into the inbox. 

This “Expressway” is popular for hackers and something we’ve written about in great detail.

Now, we’ve found another way that hackers are taking to get into the inbox: creating fake invoices in PayPal, and using the legitimacy of the site to get into the inbox. 

Starting in June 2022, Avanan researchers have seen hackers use PayPal to send malicious invoices and request payments. The hackers send the email from PayPal’s domain, using a free PayPal account that they have signed up for, with the email body spoofing brands like Norton. In this attack brief, Avanan will analyze how hackers are leveraging legitimate and popular websites to get into inboxes and steal credentials and money.   


In this attack, hackers are creating accounts in PayPal, and then sending malicious invoices and requests for payments directly from the service. 

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Double Spear, Brand Impersonation
  • Target: Any end-user



In this attack, threat actors are using the legitimacy of PayPal to get into the inbox.

Email Example #1


In this attack, hackers are creating accounts in PayPal. Then they are using PayPal’s features to create an invoice. In this video, you can see how the hackers are editing the business name, placing fake telephone numbers and showing the fake Norton invoice. From there, hackers can send the invoice to multiple users at once. 


Hackers are using a combination of social engineering and legitimate domains to extract money and credentials from end-users. We’ve seen this with QuickBooks most recently, and now with PayPal. This can be done on any site that’s trusted and used regularly by end-users. PayPal and QuickBooks are particularly clever since they are often used for business invoices. The scam works since static Allow Lists “allow” content from these sites directly from the inbox. It’s a way of condensing the Internet for security scanners. You can’t block the whole Internet; so you try to figure out what you know is good. Trusted websites like PayPal often make the cut, even if it is an oft impersonated brand. What makes this attack scary is that the phishing invoices are created and sent through PayPal. That makes it more legitimate to the security service and to the end-user. 

For hackers, this process couldn’t be easier. They use PayPal’s domain to get into the inbox. They use classic social engineering tactics to send an invoice notice and get the user to take action. This attack works because of what hackers on the dark web call a double spear:

  • Make the user call the listed telephone number
  • Make the user pay the invoice


Not only do they have your email, but they also have your phone number, which can be used for future attacks. And, of course, they have your money. 

Avanan notified PayPal of this attack on July 19th, and will update this blog with any further information. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Before calling an unfamiliar service, Google the number and check your accounts to see if there were, in fact, any charges
  • Implement advanced security that looks at more than one indicator to determine in an email is clean or not
  • Encourage users to ask IT if they are unsure about the legitimacy of an email