A friend received a spam email from quickbooks@notification.intuit.com
Intuit is a real company, and intuit.com is their real domain. Looking online, a number of people received this scam email a few months ago, and then again over the last week.
If you came across this post from Google, this is why it reeks of a scam email:
- 12 of other email addresses are listed in the
toandccfields - it says that a subscription is set to renew, “$399.99 will soon be taken out of your account” and that it will happen within the “next 24 hours”. Classic sense of urgency
- It includes an
888phone number that does not come up as any legitimate number, and it includes a PDF which my friend did not download in case it is malicious
Does this mean that Intuit lost control of that subdomain, or is there another way that someone might be spoofing it? I can have my friend check any other metadata if it would be helpful.
If you came here from Google, welcome to the Fediverse :)
They use spoofing. Apparently incorrectly secured stuff can allow it. The security guys at work were talking about this kind of thing the other week. I don’t fully understand it myself but this website discusses it. https://abnormalsecurity.com/glossary/dmarc