TL;DR A payroll-PIN-change notification mimicking Intuit was sent from a free AOL mailbox, with full SPF/DKIM/DMARC pass for aol.com. The message was personalized with the recipient's name and company. The 'contact us' link ran through a third-party SendGrid redirect rather than a direct Intuit URL, obscuring the final destination. The sending address has no affiliation with Intuit, and Intuit's legitimate domain was never in the mail path.
Severity: Medium Brand Impersonation Social Engineering Payroll Fraud MITRE: T1566 MITRE: T1598
The email looked like a routine payroll service notification. It had Intuit's logo, Intuit's Tucson address, and a real payroll support phone number. It was sent from a free AOL email account that has never been associated with Intuit.
What the Attack Looked Like
The message subject announced that a Direct Deposit Service PIN had been changed, a notification type that exists in real Intuit payroll systems. The body addressed a payroll administrator at a mid-size firm by name, referenced the company, and formatted the content to match authentic Intuit payroll notification templates. The corporate address and a matching support phone number appeared in the footer, adding institutional credibility.
The "contact us" call-to-action did not link to payroll.intuit.com directly. It routed through a SendGrid click-tracking URL: u35192344[.]ct[.]sendgrid[.]net/ls/click?.... SendGrid is a legitimate bulk email delivery and link-tracking platform, but in this message it was used to mask where the link actually terminated. The final destination was not confirmed by automated analysis, which means the recipient would have landed somewhere that could not be independently characterized from the email headers alone.
A small JPEG attachment (~WRD3600.jpg, 823 bytes) was included. Scanning returned a clean verdict. It was not the payload vector.
The From address was gmcinc[@]aol[.]com. SPF, DKIM, and DMARC all passed, because all three authentication checks evaluated the aol.com domain, not Intuit. Yahoo/AOL consumer SMTP infrastructure handled delivery and passed the message into the recipient's Microsoft 365 tenant without any authentication flags.
One additional anomaly in the body: the footer directed suspicious messages to fraud[@]intuit[.]com and spoof[@]intuit[.]com. Intuit's publicly documented security reporting address is security[@]intuit[.]com. The wrong contact address suggests the attacker copied a template without checking the current documentation.
Why It Bypassed Defenses
Brand impersonation from a consumer mailbox exploits a gap in authentication-based defenses. Authentication checks confirm the sender is who the sending domain says they are. When the sending domain is aol.com, authentication passing means only that the message came from that AOL mailbox. The mismatch between the authenticated sending domain (aol.com) and the impersonated brand (intuit.com) is invisible to DMARC. Catching it requires a display-name or body-content analysis that maps claimed brand identity against actual sending domain.
The personalization deepened the risk. A message that includes a recipient's name and company name does not look like bulk spam. It looks like a notification that was generated specifically for that account. Recipients who receive a PIN-change notification they did not initiate are likely to click the "contact us" link immediately.
The SendGrid redirect added a second layer of obscurity. Link-reputation checks that evaluate the first hop in a redirect chain would score the SendGrid domain as clean, because it is a widely used and reputable platform. The true destination, one or more hops downstream, would not be evaluated unless the security tool follows the full redirect chain.
See Your Risk: Calculate how many threats your SEG is missing
How It Was Caught
Themis flagged the sender-domain-to-brand-identity mismatch. A consumer AOL domain sending a message styled as a corporate payroll service notification is a behavioral anomaly the platform's multi-signal analysis captures even when all authentication checks pass. Community data for the sending address provided additional confirmation. The mismatched fraud-reporting address in the footer added a content-layer signal that supported the phishing classification.
Defender Takeaways
Authentication pass for a consumer domain does not endorse the content brand. Full DMARC pass for aol.com means the message came from that AOL mailbox. It says nothing about whether the body is accurately representing an Intuit system. Build rules that detect brand-name keywords (Intuit, QuickBooks, Payroll) appearing in messages sent from free consumer domains (gmail.com, yahoo.com, aol.com, hotmail.com) and route them for additional review regardless of authentication result.
Payroll notification lures are high-stakes. A PIN-change notification implies that someone already has access to the payroll account. That framing pressures recipients to act without pause. Social engineering built around alarm states (account changed, PIN reset, unusual activity) is specifically designed to override the caution that routine messages would not defeat. Train payroll and HR staff on this pattern explicitly, with examples of what legitimate Intuit notifications look like versus attacker-crafted copies.
Follow redirect chains. A "contact us" link routing through a third-party tracking domain before landing somewhere unconfirmed should be treated as unresolved. Tools that score only the first-hop domain will return clean for any SendGrid URL. Ensure your link-inspection capability follows the full redirect chain and evaluates the terminal page. Credential harvesting pages frequently sit one or two hops behind a legitimate-looking tracking domain for exactly this reason. MITRE ATT&CK documents redirect chains as a standard T1566 delivery technique.
---
Indicators of Compromise
| Type | Value | Notes |
|---|
| Sender | gmcinc[@]aol[.]com | Consumer AOL mailbox; no Intuit affiliation |
| Authentication | SPF/DKIM/DMARC pass (aol.com) | Passes for AOL domain only; Intuit domain not in mail path |
| CTA redirect | u35192344[.]ct[.]sendgrid[.]net/ls/click?... | SendGrid tracking URL; final destination not confirmed |
| Impersonated brand | Intuit (Intuit Payroll / QuickBooks) | Real Intuit address and phone used as credibility props |
| Attachment | ~WRD3600.jpg (823 bytes) | Clean scan; not the payload vector |
| Body anomaly | Fraud reporting address mismatch | fraud[@]intuit[.]com listed instead of security[@]intuit[.]com |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
