Postmark

Glad to see @thrivedesk featured in @postmarkapp 2025 wrapped 🎉

Got a legit-looking @RobinhoodApp email today. Haven’t touched the account in years. Downloaded the raw .eml and checked headers. SPF ✅ DKIM ✅ DMARC ✅ It was actually sent from Robinhood’s infrastructure. But the body had a phishing payload injected into it. The top half of the email was normal: “Your recent login to Robinhood” Then inside the HTML, mid-content, it suddenly injected: “UNRECOGNIZED ACTIVITY — Case #RH-6801” with a “Review Activity” button. That button did NOT go to robinhood.com. It went to: googletagmanager.com → redirect → tinzio.net Classic cloaking. This is what makes it dangerous: This isn’t a spoof. This isn’t a random phishing email. It passed all authentication checks and came from a real sender. What likely happened: Some part of the email pipeline (template / dynamic field / notification system) got abused and allowed HTML injection. So attackers piggybacked on a legit email. Why this matters: Most advice says “check the sender”. That doesn’t work here. Everything looked legit at the header level. What to do instead: Never click email buttons for anything financial Always go directly to the app or type the URL manually Treat urgency + “case numbers” as a red flag Inspect link destinations (not just the visible text) If something feels off, it probably is What I did: I downloaded the .eml file and sent it to an AI to analyze Logged in manually Changed password Rotated 2FA Checked devices + account changes If you use Robinhood (or any fintech), assume this technique will get reused. Real emails can still be weaponized. Stay sharp.