How can a phishing email come from a verified Intuit.com server?

Phishing emails can originate from verified Intuit servers when attackers exploit legitimate accounts or features within Intuit's products (like QuickBooks or TurboTax) to send fraudulent messages. Because the email physically travels through Intuit's infrastructure, it passes standard authentication checks like SPF, DKIM, and DMARC, making it appear legitimate.

Do email authentication protocols like SPF, DKIM, and DMARC protect against this?

SPF, DKIM, and DMARC verify that an email originated from an authorized server for the sender's domain. They confirm the email's technical origin but do not assess the content for malicious intent. If a legitimate account on Intuit's platform is compromised and used to send phishing, the authentication will still pass.

How can I identify a phishing email even if it appears verified?

Always verify suspicious requests by directly visiting the official Intuit website (e.g., quickbooks.intuit.com ) or contacting their support through publicly known channels, rather than clicking links in the email. Look for inconsistencies in sender details, grammar, and unusual requests.

What should I do if I receive a suspicious email from Intuit.com?

Intuit encourages users to report suspicious emails by forwarding them to security@intuit.com . This helps them track and mitigate abuse originating from their platforms.

How do email service providers combat this type of abuse?

Service providers face challenges because blocking all emails from their legitimate sending domains is not feasible. They typically employ advanced fraud detection, account security measures (like MFA), and abuse reporting systems to identify and shut down malicious accounts or patterns of abuse.

Why are phishing emails being sent from verified and authenticated intuit.com servers? - Troubleshooting - Email deliverability - Knowledge base

It can be unsettling to receive a phishing email that appears to originate from a legitimate and authenticated source, especially from a widely trusted platform like Intuit.com. I've encountered many instances where users are confused because all the typical email authentication checks, like SPF, DKIM, and DMARC, seem to pass, yet the email is clearly malicious.

This scenario highlights a sophisticated type of attack where bad actors exploit vulnerabilities or features within trusted services to send phishing emails from their infrastructure. It's not necessarily that Intuit's systems are compromised, but rather that their platforms are being abused to facilitate these scams.

The paradox of authenticated phishing

The core of this problem lies in how cybercriminals manipulate legitimate services. Intuit, through its various products like QuickBooks and TurboTax, allows users to send financial documents and notifications. Attackers exploit these functionalities. They create accounts, sometimes legitimately, or compromise existing ones to send fraudulent invoices, payment reminders, or security alerts directly from Intuit's platform. Because these emails originate from the actual Intuit servers, they naturally pass all standard email authentication checks, making them appear highly credible to recipients and their email providers.

This creates a significant challenge for email service providers (ESPs). How do you differentiate between a legitimate invoice sent by a business using QuickBooks and a phishing email sent by a scammer abusing the same platform? Blocking all emails from intuit.com is not feasible due to the vast amount of legitimate business communications flowing through their servers daily. This scenario contributes to why even seemingly secure emails sometimes trigger Gmail phishing warnings.

Understanding the core issue

The crucial distinction here is between technical authentication (SPF, DKIM, DMARC) and the sender's intent. While SPF and DKIM verify the domain from which an email originated, they don't inherently determine if the content is malicious. If a phisher sends an email through a legitimate Intuit account, the email will technically pass these checks, creating a false sense of security.

Account compromise: Attackers gain unauthorized access to a legitimate Intuit user's account.
Feature abuse: Malicious actors use built-in email sending functionalities within Intuit products for their phishing campaigns. This is often the case when phishing emails pass SPF and DKIM.

How attackers exploit legitimate platforms

Cybercriminals employ several sophisticated tactics to exploit platforms like Intuit. One common method involves compromising user accounts, often through credential stuffing or phishing attacks that trick users into revealing their login information. Once they have access to a legitimate account, they can use its email-sending features to distribute their malicious emails. These emails then appear to come directly from intuit.com, complete with the correct authentication headers.

Another tactic is abusing specific functionalities within the software, such as invoice generation or notification services. For example, a scammer might sign up for a free trial or low-cost plan, then use the platform's native invoicing system to send fake invoices with malicious links or requests for payment. These emails are technically generated by Intuit's servers and adhere to its sending policies, making them difficult for automated spam filters to flag. This is a common reason phishing emails land in the primary inbox instead of spam.

Legitimate use

Users send invoices, payment reminders, and statements directly through

Intuit's email infrastructure. These emails are intended and expected, making them pass all email authentication checks.

Expected content: Financial notifications, account updates, etc.
Authentic sender: Emails originate from Intuit's servers, pass DMARC.

The role of email authentication and its limitations

Email authentication protocols like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are designed to verify the sender's domain and prevent email spoofing. However, their primary function is to confirm the email truly originated from the stated domain, not to evaluate the content's legitimacy or the sender's intent. This is a critical distinction when you receive phishing warnings even with no links.

If a malicious actor gains control of a legitimate

Mailchimp or Intuit account, or exploits a feature to send an email, that email will pass SPF, DKIM, and DMARC because it is indeed coming from intuit.com's authorized servers. The authentication protocols confirm the source, but they cannot discern the intent of the message itself. This scenario explains why Outlook might flag authenticated emails as unverified if other reputation factors are poor.

Example SPF record (simplified)DNS

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:_spf.intuit.com -all

While authentication is crucial for email security, it's not a silver bullet against all forms of phishing. It largely prevents email spoofing (where an email pretends to come from a domain it didn't), but it doesn't prevent abuse of legitimate sending infrastructure. This is why understanding DMARC, SPF, and DKIM is essential. Organizations like Intuit implement these protocols to protect their brand and recipients from widespread spoofing, but the challenge of abuse remains.

Protecting yourself and your organization

Since authentication alone cannot always catch these sophisticated phishing attempts, recipients must be vigilant. Always scrutinize the email's content, regardless of its apparent sender or authentication status. Look for inconsistencies in grammar, unusual requests, or pressure to act quickly. If an email from Intuit seems suspicious, do not click any links. Instead, navigate directly to the official Intuit website or your QuickBooks/TurboTax account to verify any claims. This is a key step in identifying phishing emails.

For organizations, protecting against such abuse involves robust security measures for their own platforms and proactive monitoring. Implementing multi-factor authentication (MFA) for all user accounts, regularly auditing for suspicious activity, and promptly addressing any reported abuse are crucial steps. While a provider like Intuit works to mitigate abuse, sometimes their IP addresses may end up on a public blocklist (or blacklist) due to the volume of spam originating from their servers. This is where external blocklist monitoring services (sometimes called blacklist monitoring) become valuable for the wider email ecosystem.

User actions	Organizational actions
Verify sources: Independently verify any suspicious email's claims by contacting the company through official channels or logging into your account directly.	Implement MFA: Encourage users to enable multi-factor authentication on all services, especially financial ones.
Report phishing: Forward suspicious emails to the service provider's security team, like security@intuit.com.	Monitor for abuse: Actively monitor for unusual sending patterns or complaints indicating abuse of your platform or brand.
Educate yourself: Learn to recognize common phishing tactics, even in seemingly legitimate emails.	Enhance fraud detection: Implement advanced fraud detection and prevention systems to identify and shut down abusive accounts.

Views from the trenches

Best practices

Always verify the legitimacy of emails directly through the official website or customer support, especially for financial transactions.

Utilize multi-factor authentication (MFA) on all sensitive accounts to prevent unauthorized access, even if passwords are stolen.

Educate employees and users about social engineering tactics used in phishing, emphasizing that technical authentication isn't the only indicator of legitimacy.

Implement DMARC with a strict policy to prevent unauthorized spoofing of your domain, and monitor DMARC reports for signs of abuse.

Common pitfalls

Assuming an email is legitimate solely because it passed SPF, DKIM, and DMARC authentication checks.

Clicking links or downloading attachments from suspicious emails, even if they appear to come from a trusted source.

Ignoring security warnings or tips provided by service providers about ongoing phishing campaigns.

Failing to report phishing attempts to the relevant service provider or cybersecurity authorities.

Expert tips

Monitor IP reputation and blocklists (or blacklists) to understand if your sending infrastructure is being implicated in spam or phishing activities.

Develop internal protocols for handling suspicious emails, including a clear process for verification and reporting.

Consider deploying advanced email security solutions that analyze content for phishing indicators beyond standard authentication.

Engage with the email community to share intelligence on emerging threats and abuse vectors.

Expert view

Expert from Email Geeks says this is unfortunately common. Emails are sent via Intuit servers, but their small business products are being abused by bad actors to send phishing.

2022-03-11 - Email Geeks

Expert view

Expert from Email Geeks says his users also suffer from this, and short of blocking Intuit (which isn't feasible), countering this is hard. Users need to complain more to Intuit to crack down on the abuse vector.

2022-03-11 - Email Geeks

Beyond authentication: a multi-layered defense

The phenomenon of phishing emails originating from verified and authenticated intuit.com servers is a stark reminder that email security is a multi-layered challenge. While authentication protocols are fundamental, they primarily confirm domain legitimacy, not the sender's true intentions.

The sophisticated nature of these attacks, leveraging trusted platforms to bypass traditional spam filters, demands heightened vigilance from individual users and proactive measures from service providers. By understanding the methods employed by attackers and adopting robust defensive strategies, we can collectively reduce the impact of these deceptive phishing campaigns.

Staying informed and skeptical remains our best defense against evolving cyber threats.