Invoice or Impersonation? 36.5% Spike in Phishing Attacks Leveraging QuickBooks’ Legitimate Domain in 2025




A KnowBe4 Threat Lab Publication
Authors: Martin Kraemer, James Dyer, and Lucy Gee

KnowBe4 Threat Lab Logo_300dpiMuch like sending a phishing email from a compromised account, cybercriminals can boost the deliverability and credibility of their attacks by leveraging legitimate platforms.

Notably, there has been a growing proportion sent using the popular accounting software Intuit QuickBooks. Our Threat Research team has observed a 36.5% increase in the use of this platform since January 1, 2025. To facilitate these attacks, cybercriminals are creating free accounts on the platform, which makes these attacks challenging for people to distinguish from genuine communications. 

These attacks are part of a global trend of phishing emails being sent using legitimate platforms. It is worth noting however that these platforms are not compromised; cybercriminals create (usually free) authorized accounts, which are provisioned with email-sending privileges. From there, they simply create their attacks within the platform and hit ‘send’. This is much the same as creating free webmail email accounts (like Gmail or Hotmail), with the added benefit of leveraging the platform’s trusted brand and sender domain. 

Between January 1, 2022, and February 28, 2025, our Threat Research team has seen a 376.6% increase in these types of attack, with a 43.6% increase in 2025 so far versus 2024. 

Campaign Summary 
All attacks in these campaigns were identified and neutralized by KnowBe4 Defend and analyzed by our Threat Research team. 

Vector and type: Email phishing

Primary techniques: Brand impersonation, phishing hyperlinks, and social engineering

Targets: Global

Platform: Microsoft 365

Bypassed native and SEG detection: Yes

QuickBooks is a cloud-based accounting software that helps small and medium-sized businesses manage tasks like invoicing, bookkeeping, and budgeting. Legitimate communications from this service would usually include emails such as invoice notifications, payment confirmations, and account updates. 

Cybercriminals are leveraging this platform by using free, genuine accounts to send phishing emails from the official sending domain ‘@intuit.com’ to bypass standard reputation-based domain checks. In addition, ‘intuit.com’ was registered just under 31 years ago (11,333 days old as of February 28, 2025), giving it a very long ‘shelf life.’

Domains like this often have the necessary authentication levels to bypass Microsoft's native security and Secure Email Gateway (SEG) technology, unlike newly created domains used by cybercriminals, which typically lack proper authentication and are more easily flagged as suspicious.

Whilst this attack was still identified by KnowBe4 Defend, below you can see the authentication checks that one of these QuickBook attacks passed. 


Screenshot of authentication results for phishing attack sent using the QuickBooks platform

Consistent with the use of accounting software, these attacks typically have subject lines related to financial topics, document reviews, or account errors. 

Our Threat Research team observed that the following subject lines were frequently used: 

  • Review document: filename PaymentInstruction – 28/1/2025
  • Approved payment instruction – 2/10/2025 10:17 pm
  • Invoice 1005 from Coinbase
  • Reminder: invoice 2264
  • Direct Deposit- remittance advice
  • Account error
  • Voicemail message received

QuickBooks Phishing Attack Example

KnowBe4 Defend detected the below phishing email sent on February 12, 2025. In addition to leveraging the QuickBooks’ legitimate sender domain and branding, this attack also impersonated Bitcoin platform Coinbase and financial platform PayPal. 

Screenshot of a QuickBook impersonation phishing attack detected by KnowBe4 Defend, with anti-phishing banners applied.

Within the email body, the attacker used an image of a PayPal payment request which was hyperlinked to a phishing website. By embedding a single image instead of typical text, the effectiveness of email security tools is limited, as traditional signature-based detection cannot scan text.

This obfuscation technique prevents Microsoft’s native security and SEGs from identifying phishing links, while advanced tools like natural language processing (NLP) and natural language understanding (NLU) fail to detect social engineering cues, such as urgent language.

Our Threat Research team also observed cybercriminals frequently trying to engineer multi-step attacks, moving phishing into vishing (voice phishing). In these emails, cybercriminals supply an international ‘toll-free’ telephone number to contact ‘Customer Support’.

When the victims call, attackers will impersonate QuickBooks representatives and persuade them to perform actions such as installing remote access software, providing login credentials, or making fraudulent payments. By moving the conversation to a phone call, attackers can bypass email security filters altogether and can pressure the victim in real time, increasing the likelihood of success. 

Detecting Phishing Attacks Sent using Legitimate Platforms

The combination of advanced phishing techniques used in these campaigns, such as leveraging legitimate domains, whilst impersonating other trusted organizations like Coinbase and Paypal significantly increases the deliverability of these attacks- especially for organizations that rely on legacy detection systems. If delivered, the recipient would likely struggle to identify the email as malicious, with the only red flag being its financial nature. Therefore, detection should be a unified, two-pronged approach:

Organizations should leverage anti-phishing technology that takes a comprehensive, holistic view of detection. Rather than depending on a narrow set of failsafes (like sender reputation or NLP and NLU), this approach should encompass subject line analysis and flagging suspicious behaviors, such as emails built with images rather than words.

Simultaneously, this technology should be complemented by effective security training that empowers recipients to identify suspicious emails, even when they appear to come from legitimate sources.


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/phishing-security-test-offer



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews