Online trading platform Robinhood's account creation process was exploited by threat actors to inject phishing messages into legitimate emails, tricking users into believing their accounts had suspicious activity. Starting last night, Robinhood customers began receiving "Your recent login to Robinhood" emails stating that an "Unrecognized Device Linked to Your Account" was detected, containing unusual IP addresses and partial phone numbers. "We detected a login attempt from a device that is not recognized," reads the phishing email. "If this was not you, please review your account activity immediately to secure your account." Included in the email was a button titled "Review Activity Now", which led to a phishing site at robinhood[.]casevaultreview[.]com, which is now down. However, screenshots on Reddit indicate that the site was likely used to try to steal Robinhood credentials. What made the emails convincing is that they came from the legitimate Robinhood email address [email protected] and passed SPF and DKIM email security checks. Attackers abused Robinhood to generate phishing emails by exploiting a flaw in the company's onboarding process that allowed them to inject arbitrary HTML into its account confirmation emails. BleepingComputer confirmed that when a new Robinhood account is registered, the company automatically sends a "Your recent login to Robinhood" email to the associated address, containing the registration time, IP address, device information, and approximate location.