New Robinhood phishing chain that's kinda beautiful:
1. Attacker creates an RH account using the Gmail dot trick of your email (same inbox, different address)
2. Sets device name to HTML
3. RH's "unrecognized activity" email renders the device name unsanitized (html injection)
The result is a real email from noreply@robinhood.com, DKIM pass, SPF pass, DMARC pass, with a phishing CTA
Just because it's real, doesn't mean it's safe... $HOOD
