A KnowBe4 Menace Lab Publication
Authors: Martin Kraemer, James Dyer, and Lucy Gee
Very like sending a phishing electronic mail from a compromised account, cybercriminals can increase the deliverability and credibility of their assaults by leveraging legit platforms.
Notably, there was a rising proportion despatched utilizing the favored accounting software program Intuit QuickBooks. Our Menace Analysis staff has noticed a 36.5% improve in the usage of this platform since January 1, 2025. To facilitate these assaults, cybercriminals are creating free accounts on the platform, which makes these assaults difficult for folks to tell apart from real communications.
These assaults are a part of a worldwide pattern of phishing emails being despatched utilizing legit platforms. It’s price noting nevertheless that these platforms will not be compromised; cybercriminals create (often free) licensed accounts, that are provisioned with email-sending privileges. From there, they merely create their assaults inside the platform and hit ‘ship’. That is a lot the identical as creating free webmail electronic mail accounts (like Gmail or Hotmail), with the additional benefit of leveraging the platform’s trusted model and sender area.
Between January 1, 2022, and February 28, 2025, our Menace Analysis staff has seen a 376.6% improve in most of these assault, with a 43.6% improve in 2025 thus far versus 2024.
Marketing campaign Abstract
All assaults in these campaigns had been recognized and neutralized by KnowBe4 Defend and analyzed by our Menace Analysis staff.
Vector and kind: E-mail phishing
Main strategies: Model impersonation, phishing hyperlinks, and social engineering
Targets: International
Platform: Microsoft 365
Bypassed native and SEG detection: Sure
QuickBooks is a cloud-based accounting software program that helps small and medium-sized companies handle duties like invoicing, bookkeeping, and budgeting. Authentic communications from this service would often embrace emails similar to bill notifications, cost confirmations, and account updates.
Cybercriminals are leveraging this platform by utilizing free, real accounts to ship phishing emails from the official sending area ‘@intuit.com’ to bypass normal reputation-based area checks. As well as, ‘intuit.com’ was registered slightly below 31 years in the past (11,333 days previous as of February 28, 2025), giving it a really lengthy ‘shelf life.’
Domains like this typically have the required authentication ranges to bypass Microsoft’s native safety and Safe E-mail Gateway (SEG) know-how, not like newly created domains utilized by cybercriminals, which generally lack correct authentication and are extra simply flagged as suspicious.
While this assault was nonetheless recognized by KnowBe4 Defend, under you possibly can see the authentication checks that one in every of these QuickBook assaults handed.
Screenshot of authentication outcomes for phishing assault despatched utilizing the QuickBooks platform
In keeping with the usage of accounting software program, these assaults usually have topic strains associated to monetary subjects, doc opinions, or account errors.
Our Menace Analysis staff noticed that the next topic strains had been ceaselessly used:
- Evaluate doc: filename PaymentInstruction – 28/1/2025
- Authorised cost instruction – 2/10/2025 10:17 pm
- Bill 1005 from Coinbase
- Reminder: bill 2264
- Direct Deposit- remittance recommendation
- Account error
- Voicemail message acquired
QuickBooks Phishing Assault Instance
KnowBe4 Defend detected the under phishing electronic mail despatched on February 12, 2025. Along with leveraging the QuickBooks’ legit sender area and branding, this assault additionally impersonated Bitcoin platform Coinbase and monetary platform PayPal.
Screenshot of a QuickBook impersonation phishing assault detected by KnowBe4 Defend, with anti-phishing banners utilized.
Inside the electronic mail physique, the attacker used a picture of a PayPal cost request which was hyperlinked to a phishing web site. By embedding a single picture as a substitute of typical textual content, the effectiveness of electronic mail safety instruments is restricted, as conventional signature-based detection can’t scan textual content.
This obfuscation approach prevents Microsoft’s native safety and SEGs from figuring out phishing hyperlinks, whereas superior instruments like pure language processing (NLP) and pure language understanding (NLU) fail to detect social engineering cues, similar to pressing language.
Our Menace Analysis staff additionally noticed cybercriminals ceaselessly attempting to engineer multi-step assaults, shifting phishing into vishing (voice phishing). In these emails, cybercriminals provide a world ‘toll-free’ phone quantity to contact ‘Buyer Help’.
When the victims name, attackers will impersonate QuickBooks representatives and persuade them to carry out actions similar to putting in distant entry software program, offering login credentials, or making fraudulent funds. By shifting the dialog to a cellphone name, attackers can bypass electronic mail safety filters altogether and may stress the sufferer in actual time, rising the probability of success.
Detecting Phishing Assaults Despatched utilizing Authentic Platforms
The mixture of superior phishing strategies utilized in these campaigns, similar to leveraging legit domains, while impersonating different trusted organizations like Coinbase and Paypal considerably will increase the deliverability of those attacks- particularly for organizations that depend on legacy detection methods. If delivered, the recipient would seemingly wrestle to establish the e-mail as malicious, with the one pink flag being its monetary nature. Due to this fact, detection needs to be a unified, two-pronged strategy:
Organizations ought to leverage anti-phishing know-how that takes a complete, holistic view of detection. Fairly than relying on a slim set of failsafes (like sender popularity or NLP and NLU), this strategy ought to embody topic line evaluation and flagging suspicious behaviors, similar to emails constructed with photographs slightly than phrases.
Concurrently, this know-how needs to be complemented by efficient safety coaching that empowers recipients to establish suspicious emails, even once they seem to come back from legit sources.