Google Workspace Abuse Leads to Highly Convincing PayPal Phishing Attack

Nov 27, 2025

Imagine this: You open your email in the morning to check what came in overnight. You see an email from PayPal with the subject “Recurring Payment Reactivated.”

Your heart skips a beat. Your stomach drops. You don’t remember starting any subscriptions, so you click the email. You see you’re being charged $1,499 for a purchase you didn’t make.

You start to panic. You know phishing schemes exist, where scammers spoof legitimate email addresses. But when you check the sender, it’s a verified PayPal.com domain, sent directly from PayPal’s system.

Now you in a panic, you wonder: “Has my account been hacked?” The next step many would take is calling the phone number in the email. On the other end, a “helpful” agent pretends to be PayPal, but they are actually a scammer who will steal your account and funds.

This is exactly the situation one of my readers found themselves in.

Fortunately, instead of dialing the number, they noticed a few odd details and forwarded the email to me.

In this post, I will walk through that email step by step, highlight the red flags that show it is a phishing attempt, and explain how the scammer pulled off a scheme that appears to come directly from PayPal itself.

The Phishing Email

Any time you receive a suspicious email, the first step is to inspect the email header. On most email providers, you can do this by clicking the arrow next to the sender’s name and selecting “View Full Header” or “Show Original.”

Scammers often spoof the sender’s address. When this happens, the email usually ends up in the spam folder because the domain is not properly verified. Sometimes scammers register domains that look very similar to legitimate ones, such as rnicrosoft.com instead of microsoft.com.

In this case, however, the sender domain is a real, verified PayPal domain, indicated by the blue checkmark next to the sender in Gmail. This means the email was actually sent from PayPal’s system, which makes it much more convincing and harder to detect as a scam.

Red Flag #1: Email Sent to the Wrong Address

The first red flag is that the email was sent to receipt10@aldiscover.feedback, an address that does not belong to the person who received it. This is a technical trick used by the scammers to forward emails without the recipient realizing it, which I will explain later in the article.

Red Flag #2: Form Field Mismatch

Scammers can manipulate PayPal’s merchant forms to insert fraudulent information in fields where it doesn’t belong. In this case, they used the Customer Service URL field to include a scam phone number and misleading instructions, taking advantage of the system’s weak validation.

In the Customer Service URL field, the scammer included a valid URL to pass PayPal’s form validation, which requires a proper URL in the field.

However, the system does not check for extra text appended after the URL, and this is where the scammer inserted their malicious message.

They also used tricks to bypass PayPal’s filters, which normally block words like “PayPal” and “Support”, as well as dollar amounts and phone numbers.

The text looks like this:

Payment of $ 𝟭𝟰𝟵𝟵.𝟰𝟵 has been successfully processed.For cancel⠀and⠀Refund, Contact 𝐏ayPal 𝗦upport at (𝟴𝟬𝟱) 𝟱𝟬𝟬-𝟲𝟯𝟳𝟳

To a human reader, it looks normal, but the scammer replaced several characters with look-alike characters that are treated differently by filters and security systems.

Dollar amount:

The digits in the amount were replaced with stylized Unicode digits.

1 became 𝟭
4 became 𝟰
9 became 𝟵

Words:

In “PayPal Support,” only the first letters were replaced:

P became 𝐏
S became 𝗦

Phone number:

Every digit in the phone number was replaced with the same stylized Unicode digits:

8 -> 𝟴
0 -> 𝟬
5 -> 𝟱
6 -> 𝟲
3 -> 𝟯
7 -> 𝟳

Spaces:

In the phrase “cancel⠀and⠀Refund”, the normal spaces are replaced with Unicode Braille blank, which looks identical to a space:

space → ⠀ (U+2800 “Braille Pattern Blank”)

The Forwarding Trick

This phishing campaign used a clever technique that forwarded the scam email to the victim while being sent from a verified PayPal.com domain.

The attacker first sent the phishing message to an address at a domain they controlled. That domain was configured to automatically forward all incoming email to the victim. I checked the domain’s MX (Mail Exchanger) record using dig:

dig mx aldiscover.feedback

The response shows:

aldiscover.feedback. 1799 IN MX 1 smtp.google.com.

This response shows that Google handles the email for the domain. We can identify it as a Google Workspace email because it uses a custom domain while routing through Google’s servers.

According to Google Workspace documentation, emails sent to a domain can be forwarded without verifying ownership.

The original sender is preserved in the email header using the “Add X-Gm-Original-To” setting, which keeps the original recipient information in the message header and makes the forwarded email appear as if it was sent directly from the original sender.

The documentation states:

"Messages you redirect or forward appear to come directly from the original sender. The To: address in redirected messages includes the original recipient address only.  

Add X-Gm-Original-To header: Check this box to keep the original recipient information in the message header. You might want to do this if you manage any email based on message headers. Message header information can also be useful for troubleshooting email delivery."

The attacker likely uploaded a list of emails using the bulk import feature, which allows one forwarding address to map to up to 5,000 recipients at a time.

This is also likely why the forwarding address includes a number (for example, receipt10@aldiscover.feedback), since the attacker could create multiple forwarding inboxes and assign 5,000 target addresses to each.

As the documentation explains:

"You can more easily map a large number of address by entering them as comma-delimited entries, such as from spreadsheet. The maximum number of recipient addresses for all address maps is 5,000. For example, you can add 1 address map with 5,000 recipient addresses, 50 address maps with 100 recipients each, or 1,000 address maps with 5 recipients each."

The attacker may have created many such forwarding addresses, such as:

receipt1@aldiscover.feedback 
receipt2@aldiscover.feedback 
receipt3@aldiscover.feedback
etc…

Domain Analysis:

With modern web infrastructure, obtaining meaningful information from domain analysis can be challenging. Many registrars provide free privacy protection by default, which makes it difficult to identify the domain’s registrant.

Despite this limitation, it is still valuable to review basic domain registration information. WHOIS records provide publicly available details about a domain. These can include:

The registrar
Registration and expiration dates
Name servers
Sometimes the owner’s contact information

WHOIS records can be checked using the command:

whois aldiscover.feedback

The results show:

Registrar: NameCheap. A common registrar, used by both legitimate and malicious actors.
Registration Date: 2025-11-24. Extremely new; new domains are often used in phishing or scam campaigns.
Expiry Date: 2026-11-24. Only a 1-year registration, typical of temporary/malicious domains.
Owner Information: Redacted. Privacy protection is enabled, hiding registrant details.
DNS: Default NameCheap servers.

Checking for a website:

To see if the domain is used solely for email, I checked its DNS A record, which would indicate a web server if one existed. Using the command:

dig A aldiscover.feedback

The results show:

; <<>> DiG 9.20.15-2-Debian <<>> A aldiscover.feedback
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10430
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; AUTHORITY SECTION:
aldiscover.feedback.    3600    IN      SOA     dns1.registrar-servers.com. hostmaster.registrar-servers.com. 1764166261 43200 3600 604800 3601

The output shows that there is no A record, meaning the domain does not resolve to any IP address and therefore does not point to a web server.

The only record returned is an SOA (Start of Authority) record, which identifies the primary nameserver for the domain. This indicates that the domain exists solely for email purposes, consistent with a phishing-only setup.

Recommendations

This attack exploited two critical vulnerabilities: (1) Google Workspace allows email forwarding to arbitrary addresses without recipient consent, and (2) PayPal merchant forms accept invalid/misleading data in URL and contact fields.

The remediation for this issue falls into the hands of both users and the companies that host this infrastructure.

Recommendations for Users:

To protect themselves from phishing scams, users should follow these precautions:

Be cautious of urgent or alarming messages: Avoid clicking links or calling numbers in emails that try to provoke panic.
Verify the sender and email address: Check headers or sender details to confirm the email is legitimate. Do not trust headers alone, as this case demonstrates, even valid domains can be a threat.
Use official channels: Contact companies directly through verified websites or apps rather than responding to email instructions. If you type the company’s address in your browser, be careful to type it accurately. If you use a search engine like Google to find their website, avoid clicking on “sponsored” results, as these can often lead to scams.
Report phishing attempts: Use the “Report Phishing” feature in your email provider to help block future scams. (See instructions: Gmail, Outlook)
Stay informed: Learn about common phishing tactics, including Unicode obfuscation, unusual forwarding, and look‑alike domains.

Users should be wary of all communications in their email inbox, especially those designed to illicit a panicked response. If you do receive an email that concerns you, do not click any links.

Recommendations for PayPal:

To help prevent scams like this phishing campaign, PayPal should:

Block non-standard characters in form inputs: Prevent look‑alike Unicode letters, digits, or invisible characters that can bypass filters.
Tighten word restrictions: Restrict which words can appear in merchant forms to prevent scammers from inserting misleading text like “PayPal” or “Support.”
Enforce strict field validation: Ensure every form field only accepts the type of data it is intended for, so URLs only accept valid URLs, email fields only accept properly formatted emails, numeric fields only accept numbers, and so on.
Limit lengths and formats for all fields: Apply reasonable maximum lengths and allowable characters to names, usernames, and other text fields to prevent abuse.
Monitor for suspicious entries: Flag forms with unusual formatting, non-standard characters, or suspicious combinations of data for review before activation.

Recommendation for Google:

To reduce the risk of email forwarding abuse in phishing attacks, Google should:

Verify ownership of forwarding addresses: Require confirmation that the recipient controls the destination address before allowing email forwarding.
Limit bulk forwarding capabilities: Impose stricter limits on the number of addresses a single forwarding rule can target.
Detect non-standard Unicode characters: Flag or block forwarding rules that use look‑alike letters, digits, or symbols to bypass filters.
Identify invisible or special-space characters: Prevent forwarding rules that include Braille blanks or other invisible characters.
Enhance monitoring and alerts: Trigger alerts for unusual forwarding patterns, such as multiple recipients across many different domains or emails coming from newly registered or suspicious domains, which are often indicators of phishing campaigns.

Phishing attacks hit a new record in 2025, with nearly 2 million unique phishing sites detected in a single year (the highest ever recorded) and overall cybercrime surging 60% year over year. The threat is still growing fast.

Stay safe out there!

Dark Marc | Cybersecurity, Hacking & Tech

Discussion about this post

Ready for more?