Abuse of Trusted Platforms for Phishing & Fraud

Modified on Fri, 8 May at 4:47 PM

Overview

Cybercriminals are increasingly abusing legitimate business platforms such as QuickBooks Online, DocuSign, Adobe Sign, and similar services to send fraudulent invoices, contracts, and payment requests.

Because these messages are sent directly from the platform’s real email infrastructure, they often pass email security filters (including Barracuda) and arrive in inboxes appearing authentic.

This is not a failure of our email security tools, it’s a known and growing industry‑wide tactic.

How This Attack Works

An attacker creates a free or trial account on a trusted platform.
They upload “customers,” “partners,” or “vendors” (victims).
They send invoices, agreements, or payment requests using the platform.
The email:
- Comes from a legitimate domain
- Passes SPF, DKIM, and DMARC
- Contains platform‑hosted links or documents
The content inside the email or attachment is malicious or deceptive.

Because the email itself is technically valid, automated filtering alone cannot reliably block it.

What We Are Doing Internally

To reduce risk across the organization:

✅ Barracuda allows emails from these trusted platforms to pass
✅ Exchange Online auto‑deletes these messages for most users
✅ A restricted internal group is exempt from deletion so:
- IT
- Accounting
- Leadership
- Other designated staff can still receive and audit them as needed

This approach prevents accidental exposure while still supporting legitimate business workflows.

Why User Awareness Still Matters:

If you expect an email from a vendor, customer, or partner using one of these platforms, you must carefully audit the message before:

Clicking any links
Downloading attachments
Opening invoices or contracts
Entering credentials or payment details

Follow the audit guidance in our internal FAQ:

How to Identify Emails – Spam, Phishing, Fraud, Spoofing

Security starts in the inbox and in the mind of the recipient.

Examples of Commonly Abused Platforms & Example Sender Addresses

⚠️ Important:
The domains below are examples only.
These platforms may use multiple sender domains, and attackers rely on that legitimacy.

Platform / Service	Example Sender Address or Domain
QuickBooks Online	quickbooks@notification.intuit.com
DocuSign	@docusign.net, @docusign.com
Adobe Sign	@adobesign.com, @adobe.com
Dropbox Sign (HelloSign)	@hellosign.com, @dropbox.com
PandaDoc	@pandadoc.com
SignNow	@signnow.com
Bill.com	@bill.com, @notifications.bill.com
Square Invoices	@squareup.com
PayPal Invoices	@paypal.com
Stripe Billing / Invoices	@stripe.com

Seeing one of these domains does not automatically mean the email is safe.

What You Should Do

If you are NOT expecting the email

Do not click or download anything
Let Exchange handle deletion automatically

If you ARE expecting the email

Carefully audit:
- Sender intent
- Grammar and urgency
- Payment changes
- Links (hover before clicking)
Verify directly with the sender using a known contact method
Never trust payment or banking changes without confirmation

If something seems off

Do not forward the email
- If IT requests, only forward this email to IT and only to the email address to which IT is requesting the forward.
- Should this be forwarded to IT, use forward as we need the technical data within the email which is never included in screenshots.
Do not reply
Open an IT ticket only after completing your own audit

Final Reminder

These attacks succeed not because the technology is broken, but because the platforms themselves are legitimate.

No system can replace human judgment.

When in doubt, pause, verify, and ask. A good rule of thumb is that if your efforts at auditing don't seem to satisfy the bar of safety, assume that it's nefarious simply because you're thinking it's malicious.

Similar to wondering if milk is expired or not, if it doesn't reasonably pass the sniff test it's best to not ask any questions and throw it away / delete the email instead of asking others to take a sip (forward it around).