do you understand what just happened to Robinhood..
Someone sent a perfect phishing email - real domain, DKIM pass, SPF pass, DMARC pass and Robinhood's own servers delivered it.
Here's the chain:
→ Gmail treats john.doe@ and johndoe@ as the same inbox
→ Attacker registers a NEW Robinhood account using the dot trick of YOUR email
→ Sets the device name to raw HTML code
→ Robinhood's "unrecognized activity" email renders it unsanitized
The "Review Activity Now" button? Attacker's phishing site.
The email? 100% real.. Sent by Robinhood.. Signed by Robinhood..
Just because it passed every security check doesn't mean it's safe.
Abdel@rockkdevNew Robinhood phishing chain that's kinda beautiful: 1. Attacker creates an RH account using the Gmail dot trick of your email (same inbox, different address) 2. Sets device name to HTML 3. RH's "unrecognized activity" email renders the device name unsanitized (html injection) The result is a real email from noreply@robinhood.com, DKIM pass, SPF pass, DMARC pass, with a phishing CTA Just because it's real, doesn't mean it's safe... $HOOD
