On this page:
Attack Spotlight
Seeing both sides of a service abuse financial fraud using YOPmail disposable messages
March 13, 2025
Attack Spotlight
March 13, 2025
Callback phishing attack abusing Adobe Creative Cloud, Microsoft 365, and YOPmail
Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.
EMAIL PROVIDER: Google Workspace
ATTACK TYPE: Callback Phishing
Detection teams don’t often get to see both sides of a scam, but recently we got the chance. The attack itself is a callback phishing attack that uses a distribution list relay with service abuse to distribute fraudulent invoices that include a “helpline number”. The goal of this attack is to get the target to call that number or respond to the email for help resolving the charge. If they do, the scam starts in earnest.
We’ve covered both of these techniques in previous Attack Spotlights, but what’s unique to this attack is that the attacker used a YOPmail reply-to address. YOPmail is offered as a “disposable” freemail provider. A YOPmail address is different from other freemail providers in that anyone can go look at the contents of an inbox – no password necessary.
Here’s the email that a target would receive:
This message is actually a signing request from an Adobe account, but this is an instance of service abuse. The attacker set up an Adobe account, created a signing request, and then populated the description field of the request with everything under the horizontal line break.
The request was then sent to the intermediary address livesuportrms4@zenechopropolk.onmicrosoft.com. That email address had a distribution list relay configured to then blast the message out to a list of targets. Again, this is not new. What’s new is that the reply-to email is trullafeumuni-5759@yopmail.com, a free YOPmail address.
To access an inbox in YOPmail, all you need is the address.
Once logged in, we were able to see the responses that hadn’t been cleared out yet.
From here, we can quickly see a few things. For one, the Adobe account that was abused was a free trial of Creative Cloud. Another is that this attacker had a few campaigns running at once.
Clicking one of the Review and Sign buttons, takes us to an "expired link" page.
Clicking that link sends a new link to l******8@Z******m.
That email address, while obfuscated, has a pattern very similar to livesuportrms4@zenechopropolk.onmicrosoft.com, which would obfuscate as l******4@Z******m. This indicates that the attacker likely has multiple distribution list relays configured. This attack gives great visibility into how easy it is for attackers to abuse multiple free services to increase attack campaign velocity.
Sublime's AI-powered detection engine prevented this attack. Some of the top signals for this campaign were:
See the full Message Query Language (MQL) that detected these attacks in these publicly available Detection Rules in our Core Feed: Inbound Message from Popular Service Via Newly Observed Distribution List.
Sublime detects and prevents callback phishing and other email-based threats. Start your free account today, in the cloud or self-hosted, for out-of-the-box coverage for these types of attacks with the ability to customize their handling for your environment.
Read more Attack Spotlights:
Sublime releases, detections, blogs, events, and more directly to your inbox.
The latest research, attack spotlights, and product updates.
Experience Sublime’s adaptable email security platform and take control of your email environment today.
