Why are phishing emails being sent from verified and authenticated intuit.com servers?

Key findings

• Legitimate domains: Phishing emails can indeed be sent from seemingly authenticated and verified domains, making them difficult to distinguish from genuine communications.
• Abuse of services: Bad actors exploit legitimate functionalities within large platforms, such as small business product services, to send phishing emails.
• Authentication bypass: The emails pass standard authentication checks like SPF and DKIM because they originate from the legitimate infrastructure, making them appear credible.
• Feasibility of blocking: Completely blocking large domains like Intuit.com is not a viable solution for email service providers due to the high volume of legitimate traffic they carry.

Key considerations

• Reporting: Always report suspicious emails directly to the legitimate company's security team (e.g., Intuit's security department) for investigation.
• Proactive measures: Companies like Intuit need to enhance their abuse monitoring and prevention mechanisms to curb the exploitation of their services.
• User education: Users should be educated on how to identify phishing attempts beyond just checking email authentication, focusing on content, links, and unexpected requests. The FTC provides helpful guidance on recognizing and avoiding phishing scams.
• DMARC enforcement: Robust DMARC policies with enforcement (quarantine or reject) can help reduce the impact of spoofed emails, but not necessarily those sent via abused legitimate services.

Key opinions

• Confusion factor: Marketers find it particularly confusing when phishing emails are fully verified and authenticated, making it difficult to differentiate them from genuine messages.
• Impact on trust: The exploitation of trusted brand domains for phishing can severely damage customer confidence and the overall sender reputation of legitimate businesses.
• Bypassing filters: These sophisticated scams often bypass traditional spam and phishing filters because they leverage a trusted sender's infrastructure.
• Urgency for action: There's a strong desire for affected companies like Intuit to crack down on these abuse vectors more aggressively to protect both their brand and their users.

Key considerations

• User education: Marketers need to actively educate their audience on identifying phishing emails, even when they appear authentic, focusing on the content and call-to-action.
• Collaboration: Working closely with security teams to analyze and report phishing attempts is crucial for mitigating risks and providing forensic data (like EML files).
• Monitoring: Regularly monitor for mentions of brand abuse and phishing campaigns that exploit your domain or services. Small Business Trends provides context on phishing emails claiming to be from Intuit.
• Internal vigilance: Ensure internal systems and third-party integrations used for sending emails have robust security to prevent their misuse.

Key opinions

• Common occurrence: Sending phishing through legitimate servers is a common tactic, specifically exploiting products offered by large companies for small businesses.
• Countering difficulty: It is challenging to combat this issue without resorting to blocking entire legitimate domains, which is impractical due to high volumes of valid traffic.
• Abuse vectors: Spammers frequently abuse forms, sign-ups, and other mechanisms to send spam, effectively stealing another company's authentication.
• Internal compromise: Direct hacking or internal abuse (e.g., malware on a user's device leading to credential compromise) can also result in phishing emails sent from within legitimate systems.

Key considerations

• Vendor accountability: There is a need for users and affected organizations to pressure companies like Intuit to more effectively address and crack down on these abuse vectors.
• Authentication limitations: While SPF and DKIM verify the sending server, they do not guarantee the legitimacy of the email content itself, necessitating additional layers of security and user vigilance.
• Domain reputation: Even with legitimate authentication, continuous abuse can negatively impact the sender's domain reputation, potentially leading to deliverability issues for valid emails (a form of spoofing attempt). Learn more from Spam Resource.
• Damage control: While fixable, these incidents cause significant operational hassle for everyone involved, underscoring the need for robust prevention strategies.

Key findings

• Mimicry: Scammers actively send fraudulent emails designed to precisely mimic official communications from legitimate entities like Intuit.
• Reporting mechanisms: Authoritative sources, such as Intuit's own security page, instruct users to forward suspicious emails to a designated security email address for investigation.
• Spoofed addresses: Fraudsters may use email addresses that appear similar to official ones but contain subtle variations or misspellings to deceive recipients.
• Authentication limits: Email authentication, while vital, does not prevent all forms of phishing, especially when legitimate services or compromised accounts are exploited.

Key considerations

• Independent verification: Users should always verify the sender's identity independently (e.g., by visiting the official website directly) rather than relying solely on email headers.
• Vigilance: Be cautious of unexpected emails, especially those with urgent requests for personal information or suspicious links. Learn more about preventing phishing warnings.
• Prompt reporting: Immediately report any suspicious activity or emails to the relevant organizations and cybersecurity authorities.
• Organizational responsibility: Companies should provide clear, accessible guidelines for customers to report phishing and actively address abuse of their platforms. The Norton Community discusses sophisticated email scams.