Robinhood's account-creation flow turned into a phishing pipe
Threat actors injected phishing content into Robinhood's own transactional emails. The trust-the-sender heuristic that customers were trained on for two decades doesn't survive this.
Threat actors discovered a flaw in Robinhood’s account-creation pipeline that allowed them to inject attacker-supplied content into Robinhood’s own transactional emails — the verification, welcome, and account-confirmation messages that every newly opened account triggers. The phishing message arrives from Robinhood’s real sending infrastructure. SPF passes. DKIM passes. DMARC passes. The recipient — typically someone who never signed up for a Robinhood account in the first place — receives a message that genuinely came from Robinhood, asking them to verify the account that has just been opened in their name. They click the embedded link, lose their credentials, and the attacker drains whatever’s behind them.
This is the second or third example this year of the same pattern, and it deserves a name. Call it transactional-email injection: an attacker abuses a legitimate input field in a vendor’s user-onboarding flow to make the vendor send an attacker-controlled message through the vendor’s own outbound mail. From the recipient’s perspective, every signal that fraud-awareness training has trained them to check is reading green. From the attacker’s perspective, it’s free phishing infrastructure with the deliverability profile of a Fortune 500 brand.
The lesson, restated: the trust-the-sender heuristic is broken for transactional email. Two decades of advice telling customers to look at the From: address, check the padlock, hover over the link, has just been turned against itself. The attacker has satisfied every check the heuristic asks the recipient to perform. The next-generation phishing attack doesn’t spoof a brand. It makes the brand send the email on the attacker’s behalf.
Two responses for financial-services security teams. First, audit any user-supplied input that ends up rendered inside an outbound transactional email — name, address, message-to-recipient, “tell us why you’re opening this account” free-text. That input is the attack surface. The mitigation is at the email-template level: aggressive sanitisation, no attacker-controllable URLs, no rich-text rendering. Second, update customer fraud-awareness messaging. “We will never email you a link to verify your account” should now be the front-and-centre message on every onboarding email, every login prompt, and every fraud-alert page. The trust-the-sender training has expired. Customers need new heuristics, and the only defensible one is “ignore the link, log into the app directly.”