The email said there was a new voicemail. It appeared to come from QuickBooks, carrying the display name of the receiving organization itself, a layered identity trick designed to pass the two-second inbox glance. The sending address was quickbooks@notification[.]intuit[.]com. SPF failed. DKIM returned none. DMARC failed with a policy of reject.
None of that stopped it from landing in the inbox at a spam confidence level of -1, the most trusted possible designation in the Exchange filtering stack.
Between the authentication failure and the inbox sat a Barracuda ESS relay with an allow-list entry. That single allow-list record overwrote every other signal in the delivery chain.
Barracuda Email Security Service (ESS) is a cloud gateway that processes inbound mail before forwarding it to Microsoft Exchange Online. Organizations configure it as their MX endpoint, then set the Barracuda IP ranges in an Exchange connector allow-list so that legitimate mail from Barracuda is not double-filtered. This is standard practice. It is also an attack surface.
When the spoofed QuickBooks email arrived at the Barracuda relay, Barracuda processed it and forwarded it to Exchange Online. Because Barracuda's sending IP was in the allow-list, Exchange Online stamped the message with SCL=-1 (safe sender, skip all spam filtering) and delivered it directly to the inbox. The DMARC p=reject policy on notification.intuit.com would have caused a hard reject if the message had arrived at Exchange Online directly. Routed through the allow-listed Barracuda relay, that policy was never evaluated at delivery.
This is not a Barracuda vulnerability. It is a configuration architecture problem that exists at any organization running a gateway-to-Exchange relay model with an overly broad allow-list. The allow-list is meant to trust mail that Barracuda has already screened. Barracuda sees inbound mail and forwards it; in this configuration it did not block the spoof before forwarding.
The correct mitigation is to configure Exchange connectors to only accept mail from Barracuda that carries a specific certificate or header validation token, not to accept all mail from any Barracuda IP as pre-screened safe.
The subject was "You Have a New Voicemail Message." The display name was set to match the receiving organization's own name, a technique that exploits how email clients render the From field: the display name, not the address, is what most recipients read in the inbox list view.
The CTA linked to hxxps://store.tuchobio[.]download/bEKlisQonE@5m0/[recipient-address-redacted]. The domain tuchobio[.]download was registered January 7, 2026 at Dynadot, with Cloudflare name servers and privacy protection active. The URL path structure encodes the recipient's email address directly after a campaign-specific token, a standard practice in phishing kits that enables per-recipient tracking and form pre-fill on the credential page.
Two template tokens in the email body were unrendered: a $ramen.eisha... string and a support@{domain} placeholder. These are variable substitution tokens from the campaign kit that were not replaced before the email was sent. This is a common quality-control failure in high-volume phishing operations where the same kit template is mass-deployed across multiple target batches with incomplete variable mapping. It is also a detection signal: legitimate transactional email from Intuit does not contain unresolved template variables.
See Your Risk: Calculate how many threats your SEG is missing
Multiple finance staff at the targeted forensics consultancy received the email simultaneously. The voicemail-lure pretext is particularly effective against finance roles because:
Credential harvesting at finance and accounting roles yields access to payment authorization systems, ERP platforms, and bank account management. The IBM Cost of a Data Breach 2024 report identifies finance as one of the top five sectors by breach cost. Targeting multiple staff members simultaneously improves campaign success probability: if any one recipient clicks before a security alert propagates, the credentials are compromised.
Themis scored this email at 90% malice confidence. The detection did not depend on the gateway's SCL stamp or on authentication records. It operated on the email content and behavioral signals that remained visible post-delivery:
Spoofed trusted brand with complete auth failure. notification.intuit.com is a known Intuit sending domain with established SPF and DMARC records. A message claiming to originate from that address with SPF fail, DKIM none, and DMARC fail is a fundamental authentication contradiction. The brand being spoofed has a strong authentication record; the email lacks it entirely.
Newly-registered .download TLD with recipient tracking parameter. The CTA domain was five months old at the time of delivery, with a .download TLD that carries elevated baseline suspicion in threat intelligence feeds. The encoded recipient address in the URL path is a specific behavioral signature of credential-harvest kits.
Unrendered template tokens. Legitimate Intuit notification infrastructure does not send emails with ${variable} or $identifier strings visible in the message body. These artifacts identify the email as a phishing kit output.
Simultaneous multi-mailbox delivery from cold sender. No prior sending relationship existed between the spoofed Intuit domain and any of the targeted mailboxes. Simultaneous delivery to multiple targets in the same department from a first-contact sender is a campaign-pattern signal.
MITRE ATT&CK T1566.002 covers the spearphishing-via-link vector. This campaign adds two specific evasion layers to the basic technique: gateway allow-list exploitation to achieve SCL=-1 delivery, and recipient-tracking URL encoding to maximize conversion and intelligence collection on click-through rates.
The gateway allow-list bypass is the most operationally significant element here. According to IRONSCALES platform data, SEGs miss an average of 67.5 phishing emails per 100 mailboxes per month. The allow-list architecture is one reason that number stays high: a gateway that has been allow-listed into delivering mail without post-transit screening is operating as a trusted relay for whatever arrives at it.
SPF and DMARC records on the spoofed Intuit domain did their job. The failure was upstream of them, in the delivery architecture. That gap requires a post-delivery detection layer that operates independently of what the gateway decided before delivery.
---
| Type | Indicator | Context |
|---|---|---|
| Domain | tuchobio[.]download | Attacker credential-harvest host, registered 2026-01-07 |
| URL | hxxps://store.tuchobio[.]download/bEKlisQonE@5m0/[recipient-redacted] | Phishing CTA with encoded recipient tracking parameter |
| Spoofed address | quickbooks@notification.intuit[.]com | From address spoofed; SPF fail, DKIM none, DMARC fail |
| Delivery path | Barracuda ESS relay | Allow-listed in Exchange connector; stamped SCL=-1 |
| Attack | What happened |
|---|---|
| Sign Here, Get Phished: Inside an Adobe Sign Lure With a Multi-Hop Redirect to Credential Theft | An Adobe Sign e-signature lure routed recipients through a multi-hop redirect chain ending at fameklinik[.]com. |
| When SPF, DKIM, and DMARC All Pass. And the Email Is Still Phishing | A fully authenticated phishing email (SPF pass, DKIM pass, DMARC pass) used a legitimate nonprofit platform to deliver credential-harvesting links with... |
| DocuSign Plus Invoice: A 12-Day-Old Domain and an esvalabs Redirect Chain That Scanners Missed | A phishing campaign combined DocuSign branding with an invoice thread pretext, sent from a 12-day-old privacy-protected domain via Amazon SES. |
| When the Phishing Kit Ships Early: Exposed Template Variables Reveal Attack Infrastructure | A premature phishing kit deployment exposed raw template variables in the subject line and a placeholder URL. |
| The Fireflies Meeting Recap That Never Happened: Dual-Brand Impersonation via Amazon SES | A phishing campaign combined Fireflies.ai meeting recap templates with Microsoft Teams branding to target a financial controller. |