Summary
Phishing emails from verified Intuit servers occur due to a combination of factors: direct account compromises, system vulnerabilities within Intuit or its third-party services, subdomain takeovers, and abuse of forms/signups. Phishers exploit loopholes, bypass authentication protocols (even with SPF, DKIM, DMARC), and use social engineering tactics. Improper DMARC configurations can also enable phishing. The result is reputational damage, eroded trust, and difficulties in detection despite advanced security measures. Vigilance, reporting, and proactive security enhancements are crucial to mitigation.
Key findings
- Account Compromises: Phishers directly compromise Intuit accounts or accounts at ISPs and third-party services used by Intuit.
- System Vulnerabilities: Exploitation of system vulnerabilities within Intuit and its third-party vendors facilitates phishing.
- Subdomain Takeovers: Phishers gain control of subdomains to send legitimate-looking emails.
- Authentication Bypass: Sophisticated tactics and compromised accounts bypass authentication protocols like SPF, DKIM, and DMARC.
- Social Engineering: Phishers use social engineering to trick users into clicking malicious links.
- Improper DMARC Configuration: Incorrectly configured DMARC policies (e.g., 'none' or 'quarantine') fail to prevent phishing.
- Abuse of forms and signups: Abuse of forms and signups to send spam, leveraging another company's authentication.
Key considerations
- User Vigilance: Users must remain vigilant, verify links independently, and report suspicious emails.
- Proactive Security: Implement robust security measures and regularly update them to counter evolving phishing tactics.
- DMARC Enforcement: Enforce strict DMARC policies to protect against domain spoofing.
- Account Security: Enhance account security measures, including multi-factor authentication.
- Vendor Security Audits: Thoroughly audit the security practices of all third-party vendors.
- Monitor forms and signups: Monitor forms and signups for suspicious activity to prevent abuse.
- ISP Collaboration: ISPs and companies should collaborate to identify and mitigate compromised accounts sending spam.
What email marketers say
10 marketer opinions
Phishing emails from verified and authenticated Intuit servers occur due to various exploitation methods. These include compromising Intuit accounts directly, exploiting vulnerabilities in Intuit's systems or third-party services they use, and taking over Intuit subdomains. Sophisticated techniques allow phishers to bypass standard security measures, making these emails appear legitimate. This can lead to reputational damage for Intuit and erode trust in email communications. Users should remain vigilant, independently verify website addresses, and report suspicious emails.
Key opinions
- Account Compromise: Phishers compromise Intuit accounts directly to send phishing emails.
- System Vulnerabilities: Exploitation of vulnerabilities within Intuit's systems allows phishers to send malicious emails.
- Third-Party Exploitation: Compromised third-party email marketing services used by Intuit enable phishers to send emails that appear to originate from Intuit.
- Subdomain Takeover: Phishers gain control of Intuit subdomains to send legitimate-looking emails.
- Bypassing Security: Sophisticated phishing techniques can bypass standard security measures and email filters.
Key considerations
- User Vigilance: Users should independently verify website addresses and be wary of suspicious requests.
- Reporting Suspicious Emails: Report suspicious emails to Intuit and relevant authorities like the FTC.
- Reputational Impact: Exploitation can lead to reputational damage for Intuit and increased distrust in email communications.
- Vendor Security Audits: Companies should thoroughly audit the security practices of third-party vendors.
- Email Authentication Improvement: Intuit and similar companies should continuously improve and enforce strict email authentication protocols.
Marketer view
Email marketer from Reddit explains that phishers often exploit vulnerabilities within legitimate platforms like Intuit. They might compromise accounts or use loopholes in the platform's email sending features to distribute phishing emails, bypassing standard security measures since the emails appear to originate from a trusted source.
25 Jul 2024 - Reddit
Marketer view
Email marketer from Cybersecurity Forum mentions the possibility of subdomain takeovers. If a phisher gains control of a subdomain associated with Intuit (e.g., something.intuit.com), they can send emails that appear legitimate because they are coming from an Intuit domain.
2 Sep 2021 - Cybersecurity Forum
What the experts say
2 expert opinions
Phishing emails from verified and authenticated Intuit servers can occur due to spammers abusing forms/signups, stealing authentication, or through compromised accounts at ISPs and email providers. These compromised accounts are legitimate, allowing them to bypass standard authentication measures.
Key opinions
- Form/Signup Abuse: Spammers abuse forms and signups to send spam, leveraging another company's authentication.
- Compromised Accounts at ISPs: Compromised accounts at ISPs and email providers are used to send spam.
- Authentication Bypass: Compromised legitimate accounts bypass authentication because they are valid accounts sending from legitimate servers.
Key considerations
- Account Security: Implement robust account security measures to prevent compromise.
- Form/Signup Monitoring: Monitor forms and signups for suspicious activity to prevent abuse.
- ISP Collaboration: ISPs and companies should collaborate to identify and mitigate compromised accounts sending spam.
Expert view
Expert from Email Geeks explains spammers are abusing forms/signups to send spam, stealing another company’s authentication.
11 Feb 2022 - Email Geeks
Expert view
Expert from Word to the Wise explains that sometimes the issue isn't the company itself, but compromised accounts at ISPs or email providers that are being used to send spam. These compromised accounts can bypass authentication because they are, in fact, legitimate accounts sending from legitimate servers.
17 Feb 2022 - Word to the Wise
What the documentation says
5 technical articles
Phishing emails originating from verified and authenticated Intuit servers are a result of evolving phishing tactics, spoofing techniques, and exploitation of legitimate services. Phishers bypass security measures, leverage compromised accounts, abuse email relay services, and exploit web application vulnerabilities. DMARC implementation issues can also contribute. Social engineering plays a significant role in tricking users, making vigilance and reporting crucial.
Key findings
- Evolving Tactics: Phishers are constantly evolving their tactics to bypass security measures.
- Spoofing: Phishers spoof the 'From' address, making emails appear legitimate.
- Exploitation of Legitimate Services: Phishing attacks exploit legitimate services through compromised accounts, email relays, and web app vulnerabilities.
- DMARC Issues: Improper DMARC configuration (e.g., policies set to 'none' or 'quarantine') can allow phishing emails to pass through.
- Social Engineering: Phishers use social engineering to trick users into clicking malicious links or providing sensitive information.
Key considerations
- User Vigilance: Users should be vigilant and report suspicious emails.
- Security Measures: Implement and continuously update security measures to combat evolving phishing tactics.
- DMARC Configuration: Ensure proper DMARC configuration to effectively protect against domain spoofing.
- Account Security: Implement robust account security measures to prevent compromise.
- Web App Security: Regularly assess and address vulnerabilities in web applications.
Technical article
Documentation from APWG (Anti-Phishing Working Group) explains that sophisticated phishing attacks often involve exploiting legitimate services to send malicious emails. This could include compromising accounts, abusing email relay services, or finding vulnerabilities in web applications to inject phishing content.
2 Aug 2021 - APWG
Technical article
Documentation from Intuit explains that although Intuit implements security measures, phishers are constantly evolving their tactics. They advise users to be vigilant and report any suspicious emails claiming to be from Intuit to their security team so they can investigate and take appropriate action.
28 Jan 2022 - Intuit
Can a competitor damage my domain reputation by sending spam with links to my site?
How can email senders and users prevent and identify phishing emails?
How can I protect my domain from being spoofed and blacklisted?
What steps can I take to stop someone from spoofing my email address?
How can a phishing email pass SPF and DKIM authentication checks?
Should I be concerned about spoofing when using a different from domain than the subdomain configured in the ESP?
