A new DKIM Replay Attack technique is being used by cybercriminals to bypass email security by abusing legitimate invoice and notification systems from PayPal, Apple and others, according to Kaseya, featuring data from INKY. The attack relies on emails that are cryptographically signed by the vendor, so they pass DKIM and DMARC checks even when the content is malicious, allowing the message to reach targets’ inboxes.
Attackers generate a real invoice or dispute notification on a vendor platform, embed scam instructions and a fraudulent phone number in seller notes, then send the email to themselves first and forward the pristine email to victims. The method works because forwarding the original, unmodified email preserves its signature, making the message appear to originate from PayPal or Apple. To defend, the report advises checking the To header and ignoring any phone numbers or urgent payment warnings in unexpected messages.