A KnowBe4 Threat Lab Publication
Authors: Martin Kraemer, James Dyer, and Lucy Gee
Much like sending a phishing email from a compromised account, cybercriminals can boost the deliverability and credibility of their attacks by leveraging legitimate platforms.
Notably, there has been a growing proportion sent using the popular accounting software Intuit QuickBooks. Our Threat Research team has observed a 36.5% increase in the use of this platform since January 1, 2025. To facilitate these attacks, cybercriminals are creating free accounts on the platform, which makes these attacks challenging for people to distinguish from genuine communications.
These attacks are part of a global trend of phishing emails being sent using legitimate platforms. It is worth noting however that these platforms are not compromised; cybercriminals create (usually free) authorized accounts, which are provisioned with email-sending privileges. From there, they simply create their attacks within the platform and hit ‘send’. This is much the same as creating free webmail email accounts (like Gmail or Hotmail), with the added benefit of leveraging the platform’s trusted brand and sender domain.
Between January 1, 2022, and February 28, 2025, our Threat Research team has seen a 376.6% increase in these types of attack, with a 43.6% increase in 2025 so far versus 2024.
Campaign Summary
All attacks in these campaigns were identified and neutralized by KnowBe4 Defend and analyzed by our Threat Research team.
Vector and type: Email phishing
Primary techniques: Brand impersonation, phishing hyperlinks, and social engineering
Targets: Global
Platform: Microsoft 365
Bypassed native and SEG detection: Yes
QuickBooks is a cloud-based accounting software that helps small and medium-sized businesses manage tasks like invoicing, bookkeeping, and budgeting. Legitimate communications from this service would usually include emails such as invoice notifications, payment confirmations, and account updates.
Cybercriminals are leveraging this platform by using free, genuine accounts to send phishing emails from the official sending domain ‘@intuit.com’ to bypass standard reputation-based domain checks. In addition, ‘intuit.com’ was registered just under 31 years ago (11,333 days old as of February 28, 2025), giving it a very long ‘shelf life.’
Domains like this often have the necessary authentication levels to bypass Microsoft's native security and Secure Email Gateway (SEG) technology, unlike newly created domains used by cybercriminals, which typically lack proper authentication and are more easily flagged as suspicious.
Whilst this attack was still identified by KnowBe4 Defend, below you can see the authentication checks that one of these QuickBook attacks passed.
Screenshot of authentication results for phishing attack sent using the QuickBooks platform
Consistent with the use of accounting software, these attacks typically have subject lines related to financial topics, document reviews, or account errors.
Our Threat Research team observed that the following subject lines were frequently used:
- Review document: filename PaymentInstruction – 28/1/2025
- Approved payment instruction – 2/10/2025 10:17 pm
- Invoice 1005 from Coinbase
- Reminder: invoice 2264
- Direct Deposit- remittance advice
- Account error
- Voicemail message received
QuickBooks Phishing Attack Example
KnowBe4 Defend detected the below phishing email sent on February 12, 2025. In addition to leveraging the QuickBooks’ legitimate sender domain and branding, this attack also impersonated Bitcoin platform Coinbase and financial platform PayPal.
Screenshot of a QuickBook impersonation phishing attack detected by KnowBe4 Defend, with anti-phishing banners applied.
Within the email body, the attacker used an image of a PayPal payment request which was hyperlinked to a phishing website. By embedding a single image instead of typical text, the effectiveness of email security tools is limited, as traditional signature-based detection cannot scan text.
This obfuscation technique prevents Microsoft’s native security and SEGs from identifying phishing links, while advanced tools like natural language processing (NLP) and natural language understanding (NLU) fail to detect social engineering cues, such as urgent language.
Our Threat Research team also observed cybercriminals frequently trying to engineer multi-step attacks, moving phishing into vishing (voice phishing). In these emails, cybercriminals supply an international ‘toll-free’ telephone number to contact ‘Customer Support’.
When the victims call, attackers will impersonate QuickBooks representatives and persuade them to perform actions such as installing remote access software, providing login credentials, or making fraudulent payments. By moving the conversation to a phone call, attackers can bypass email security filters altogether and can pressure the victim in real time, increasing the likelihood of success.
Detecting Phishing Attacks Sent using Legitimate Platforms
The combination of advanced phishing techniques used in these campaigns, such as leveraging legitimate domains, whilst impersonating other trusted organizations like Coinbase and Paypal significantly increases the deliverability of these attacks- especially for organizations that rely on legacy detection systems. If delivered, the recipient would likely struggle to identify the email as malicious, with the only red flag being its financial nature. Therefore, detection should be a unified, two-pronged approach:
Organizations should leverage anti-phishing technology that takes a comprehensive, holistic view of detection. Rather than depending on a narrow set of failsafes (like sender reputation or NLP and NLU), this approach should encompass subject line analysis and flagging suspicious behaviors, such as emails built with images rather than words.
Simultaneously, this technology should be complemented by effective security training that empowers recipients to identify suspicious emails, even when they appear to come from legitimate sources.
Here's how it works:
