Executive Summary
In mid-2024, cybercriminals exploited PayPal’s legitimate ‘Subscriptions’ billing feature to send authentic-looking emails with fraudulent purchase notifications. By inserting malicious information into the Customer Service URL field, attackers leveraged PayPal’s trusted platform to bypass spam filters, tricking recipients into believing they had initiated a costly subscription. Victims, startled by these official-looking emails, contacted the provided phone numbers, which connected them to threat actors conducting social engineering attacks, potentially resulting in credential theft or financial loss.
This incident highlights a growing trend of attackers abusing trusted platforms and supply chain features to execute highly persuasive phishing campaigns. Increased reliance on platform-generated transactional emails, coupled with social engineering, presents new security and compliance challenges for organizations and consumers alike.
Why This Matters Now
The abuse of PayPal’s subscriptions system demonstrates how attackers are innovating by compromising legitimate services to deliver convincing phishing attacks. With social engineering tactics evolving and targeting everyday users, vigilance and technical safeguards are urgently needed to mitigate such threats before they lead to financial fraud or large-scale data compromise.
Attack Path Analysis
The attack began when users received legitimate-looking PayPal emails crafted via the abuse of PayPal's Subscriptions feature, tricking them into believing fraudulent purchases were made. While there was no direct cloud privilege escalation, users who interacted with embedded fraudulent links could be socially engineered into sharing sensitive data or credentials. If compromised, attackers could potentially attempt lateral movement within a cloud or SaaS environment by leveraging harvested credentials or session data. Communication with attacker-controlled infrastructure for further exploitation or instructions could occur via user-initiated outbound connections. Any sensitive data or credentials obtained could be exfiltrated over encrypted channels. The overall impact included potential financial loss, unauthorized account access, and increased risk of business email compromise or further phishing activity.
Kill Chain Progression
Initial Compromise
Description
Adversaries sent phishing emails leveraging PayPal’s legitimate notification system, exploiting the Subscriptions feature to deliver convincing fake purchase alerts to victims.
Related CVEs
CVE-2024-13560
CVSS 5A Cross-Site Request Forgery (CSRF) vulnerability in the Subscriptions and Memberships for PayPal plugin for WordPress allows unauthenticated attackers to delete arbitrary posts via forged requests.
Affected Products:
Scott Paterson Subscriptions and Memberships for PayPal – <= 1.1.6
Exploit Status:
no public exploitCVE-2025-12752
CVSS 6.5An insufficient verification of data authenticity in the Subscriptions & Memberships for PayPal plugin for WordPress allows unauthenticated attackers to create fake payment entries.
Affected Products:
Scott Paterson Subscriptions & Memberships for PayPal – <= 1.1.7
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
The listed techniques are preliminary mappings for filtering and SEO, subject to further enhancement with full threat intelligence detail.
Phishing
Modify Authentication Process
Spearphishing Link
Obtain Capabilities: Tool
User Execution: Malicious Link
Hide Artifacts: Email Hiding Rules
Phishing for Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Monitor and Respond to Security Events
Control ID: 10.2.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – User Awareness and Email Security
Control ID: Identity Pillar: Phishing Detection and Response
NIS2 Directive – Incident Response and Reporting Obligations
Control ID: Article 21(2)d
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
High exposure to PayPal subscription abuse targeting payment processing systems, requiring enhanced egress security and threat detection for transaction verification workflows.
E-Learning
Vulnerable to subscription-based phishing targeting educational payment systems, necessitating zero trust segmentation and anomaly detection for student billing platforms.
Internet
Critical risk from social engineering attacks exploiting online payment subscriptions, demanding multicloud visibility and inline IPS for customer service URL filtering.
Retail Industry
Significant threat from fake purchase notification scams targeting e-commerce platforms, requiring encrypted traffic monitoring and egress policy enforcement for payment gateways.
Sources
- Beware: PayPal subscriptions abused to send fake purchase emailshttps://www.bleepingcomputer.com/news/security/beware-paypal-subscriptions-abused-to-send-fake-purchase-emails/Verified
- PayPal closes loophole that let scammers send real emails with fake purchase noticeshttps://www.malwarebytes.com/blog/news/2025/12/paypal-closes-loophole-that-let-scammers-send-real-emails-with-fake-purchase-noticesVerified
- PayPal Alerts Consumers to Phishing Scams and Encourages Safety Tipshttps://investor.pypl.com/news-and-events/news-details/2025/PayPal-Alerts-Consumers-to-Phishing-Scams-and-Encourages-Safety-Tips/default.aspxVerified
- Warning: Scammers Exploit PayPal “Subscriptions” Feature to Send Phishing Emails from Legitimate Domainshttps://www.thaicert.or.th/en/2025/12/16/warning-scammers-exploit-paypal-subscriptions-feature-to-send-phishing-emails-from-legitimate-domains/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress security, and anomaly detection in the cloud network could have limited phishing impact by restricting lateral movement, enforcing least privilege on outbound traffic, and rapidly detecting abnormal access or data exfiltration behaviors. These controls, applied to SaaS, workloads, and user activities, help disrupt attacker progression even following successful phishing attempts.
Control: Threat Detection & Anomaly Response
Mitigation: Could rapidly identify abnormal login patterns or suspicious user behaviors after phishing engagement.
Control: Multicloud Visibility & Control
Mitigation: Provides visibility into credential use across clouds and can alert on new credentialed access.
Control: Zero Trust Segmentation
Mitigation: Restricts network-based lateral movement with least privilege, microsegmented policies.
Control: Egress Security & Policy Enforcement
Mitigation: Unapproved outbound connections are blocked or alerted based on FQDN, application, or anomaly.
Control: Encrypted Traffic (HPE)
Mitigation: Assures all data in transit is encrypted and visible for monitoring, detecting suspicious outbound patterns.
Automated, policy-driven microenforcement minimizes blast radius and enables rapid incident response.
Impact at a Glance
Affected Business Functions
- Payments
- Customer Support
Estimated downtime: N/A
Estimated loss: $50,000
Potential exposure of customer contact information through phishing attacks.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation to prevent lateral movement in cloud and SaaS resources post-phishing incident.
- • Deploy centralized egress security and filtering to block outbound connections to malicious domains and detect anomalous exfiltration.
- • Enhance cloud and SaaS threat detection capabilities to baseline and rapidly flag suspicious account or service usage.
- • Utilize encrypted traffic monitoring and observability to detect and investigate unusual data transfer behaviors.
- • Integrate multicloud visibility for real-time policy enforcement and rapid incident response across all workloads and access types.
