{"id":1010,"date":"2026-04-28T04:56:08","date_gmt":"2026-04-28T04:56:08","guid":{"rendered":"https:\/\/zineausa.com\/blog\/?p=1010"},"modified":"2026-04-28T05:12:29","modified_gmt":"2026-04-28T05:12:29","slug":"breaking-down-the-robinhood-email-infrastructure-takeover-attack","status":"publish","type":"post","link":"https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/","title":{"rendered":"Poisoning Robinhood: HTML Injection via Metadata"},"content":{"rendered":"\n<p>While their systems were not technically breached, on 4\/27\/2026, Robinhood sent out a swath of phishing emails, being fully signed from their own infrastructure. <\/p>\n\n\n\n<p>While phishing emails are not generally interesting, this one is, as the attacker used a novel technique to get these to deliver to the end user, bypassing spam detection, and utilizing a novel Robinhood email infrastructure takeover.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">TL;DR &#8211; At a Glance<\/h3>\n\n\n\n<p><strong>Vector:<\/strong> HTML Injection via device metadata.<br><strong>Routing:<\/strong> Gmail &#8220;dot trick&#8221; to bypass duplicate email checks.<br><strong>Auth: <\/strong>100% valid SPF, DKIM, and DMARC (sent via legitimate SendGrid tenant).<br><strong>Payload: <\/strong>Malicious HTML rendered inside an official Robinhood notification<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>The Attack Hook: The Gmail &#8220;Dot Trick&#8221;<\/strong><\/h3>\n\n\n\n<p>The campaign began by targeting existing Robinhood users through a known quirk in Gmail&#8217;s routing. Gmail ignores periods in the local part of an email address. For example, <code>johndoe@gmail.com<\/code> and <code>john.doe@gmail.com<\/code> deliver to the same inbox.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"657\" height=\"269\" src=\"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/image.png\" alt=\"\" class=\"wp-image-1011\" srcset=\"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/image.png 657w, https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/image-300x123.png 300w\" sizes=\"auto, (max-width: 657px) 100vw, 657px\" \/><\/figure>\n\n\n\n<p>By creating new Robinhood accounts using a dotted version of a target&#8217;s email, the attackers were able to:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Avoid Duplicate Email Checks:<\/strong> The system saw a &#8220;new&#8221; email address.<\/li>\n\n\n\n<li><strong>Ensure Delivery:<\/strong> The resulting system notifications were delivered to the original user&#8217;s primary inbox.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>The Technical Exploit: HTML Injection via Metadata<\/strong><\/h3>\n\n\n\n<p>The &#8220;magic&#8221; of this attack wasn&#8217;t just in the delivery, but in the content. The attackers exploited a lack of input sanitization in the account creation flow.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>The Vector:<\/strong> During signup, attackers sent malicious HTML payloads within browser or device metadata fields (like the User-Agent or Device Name).<\/li>\n\n\n\n<li><strong>The Vulnerability:<\/strong> Robinhood&#8217;s backend appears to have stored this unsanitized string and later injected it directly into an automated &#8220;New Login&#8221; or &#8220;Account Change&#8221; email template.<\/li>\n\n\n\n<li><strong>The Result:<\/strong> Because the email was generated by Robinhood\u2019s actual servers and sent via their SendGrid tenant, it arrived with a <strong>verified Gmail checkmark<\/strong> and passed all SPF, DKIM, and DMARC checks.<\/li>\n<\/ul>\n\n\n\n<p>See below for a sample of the headers in the email I received:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Delivered-To: ...\nARC-Authentication-Results: i=1; mx.google.com;\n       dkim=pass header.i=@robinhood.com header.s=s1 header.b=zqFdtxhI;\n       dkim=pass header.i=@sendgrid.info header.s=smtpapi header.b=N9lQxaaj;\n       spf=pass (google.com: domain of bounces+1739348-282f-...m@sg-email.robinhood.com designates 50.31.40.75 as permitted sender) smtp.mailfrom=\"bounces+1739348-282f...@sg-email.robinhood.com\";\n       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=robinhood.com\nReturn-Path: &lt;bounces+1739348-282f-...@sg-email.robinhood.com&gt;\nReceived: from o3.email.robinhood.com (o3.email.robinhood.com. &#91;50.31.40.75])\n        by mx.google.com with ESMTPS id 6a1803df08f44-8b02aef8544si337460546d6.465.2026.04.26.17.50.16\n        for &lt;...@gmail.com&gt;\n        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128\/128);\n        Sun, 26 Apr 2026 17:50:16 -0700 (PDT)\nReceived-SPF: pass (google.com: domain of bounces+1739348-282f-....com@sg-email.robinhood.com designates 50.31.40.75 as permitted sender) client-ip=50.31.40.75;\nAuthentication-Results: mx.google.com;\n       dkim=pass header.i=@robinhood.com header.s=s1 header.b=zqFdtxhI;\n       dkim=pass header.i=@sendgrid.info header.s=smtpapi header.b=N9lQxaaj;\n       spf=pass (google.com: domain of bounces+1739348-282f-....com@sg-email.robinhood.com designates 50.31.40.75 as permitted sender) smtp.mailfrom=\"bounces+1739348-282f-...=gmail.com@sg-email.robinhood.com\";\n       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=robinhood.com\nFrom: Robinhood &lt;noreply@robinhood.com&gt;\nMessage-ID: &lt;QBGzyCaaS2O9EaWBzFlKGA@geopod-ismtpd-2&gt;\nSubject: Your recent login to Robinhood\nFeedback-ID: 751av2Nggjb0pZfGeCefTv::REGULATORY_REQUIRED:postoffice\n...\n\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">The Phishing Email<\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"875\" src=\"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/robin-1024x875.png\" alt=\"\" class=\"wp-image-1012\" srcset=\"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/robin-1024x875.png 1024w, https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/robin-300x256.png 300w, https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/robin-768x656.png 768w, https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/robin.png 1157w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>The Robinhood Follow-up<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"763\" src=\"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/robin2-1024x763.png\" alt=\"\" class=\"wp-image-1013\" srcset=\"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/robin2-1024x763.png 1024w, https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/robin2-300x223.png 300w, https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/robin2-768x572.png 768w, https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/robin2.png 1192w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>The Anatomy of the Deception<\/strong><\/h3>\n\n\n\n<p>A standard phishing email looks like a forgery. This email <em>was<\/em> a legitimate Robinhood communication, but it was &#8220;poisoned&#8221; with a custom HTML overlay.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table  class=\"has-fixed-layout table table-hover\" ><thead><tr><td><strong>Feature<\/strong><\/td><td><strong>Why it Succeeded<\/strong><\/td><\/tr><\/thead><tbody><tr><td><strong>Sender Address<\/strong><\/td><td><code>noreply@robinhood.com<\/code> (100% Legitimate)<\/td><\/tr><tr><td><strong>Security Headers<\/strong><\/td><td><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/04\/27\/robinhood-phishing-email-campaign\/\">Passed SPF, DKIM, DMARC, and BIMI (Checkmarks were present)<\/a><\/td><\/tr><tr><td><strong>Content<\/strong><\/td><td>Custom HTML injected into the body to show &#8220;Unrecognized Activity&#8221; and a malicious &#8220;Review Activity&#8221; button.<\/td><\/tr><tr><td><strong>Link Destination<\/strong><\/td><td>The button pointed initially to <code>https:\/\/www.googletagmanager[.]com\/debug\/clearcookies?url=https%3A%2F%2Ftinzio.net%2Fvalidate%3Ftoken%3DeZyCnLCJGab_AsKg3AvPt38wmpWmaLFommDMHgTemACIXvRLtzLyEnjwhvUdvbFD_CDSyBoNOw<\/code>, which would then redirect to an external phishing domain like <code>robinhood.casevaultreview[.]com\/verify<\/code>. This seemed to be Russian in nature and attempted to trick you into transferring your crypto to an attacker held wallet.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Key Takeaways for Security Engineers<\/strong><\/h3>\n\n\n\n<p>This incident serves as a stark reminder that even &#8220;internal&#8221; metadata must be treated as untrusted user input.<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Sanitize Everything:<\/strong> <a href=\"https:\/\/zineausa.com\/service\/pen-testing\/\">Never assume<\/a> that &#8220;Device Name&#8221; or &#8220;Browser Type&#8221; is safe. If it ends up in an HTML-formatted email (or a dashboard), it must be escaped.<\/li>\n\n\n\n<li><strong>Trust but Verify Infrastructure:<\/strong> Just because an email comes from a trusted SendGrid tenant doesn&#8217;t mean the <em>intent<\/em> is benign.<\/li>\n\n\n\n<li><strong>The &#8220;Checkmark&#8221; Fallacy:<\/strong> We have spent years training users to look for the &#8220;verified&#8221; icon. This attack proves that a verified sender is only as secure as the weakest input field in their signup flow.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Final Thought<\/strong><\/h3>\n\n\n\n<p>If you received one of these emails, don&#8217;t feel bad if you fell for it. Even for a seasoned security professional, an email that originates from a legitimate domain and passes all cryptographic checks is the &#8220;gold standard&#8221; of trust. When that trust is weaponized, the only defense is a healthy dose of skepticism regarding the destination of the links themselves.<\/p>\n\n\n\n<p>Learning more about phishing? Check out our various GoPhish tutorials like <a href=\"https:\/\/zineausa.com\/blog\/2022\/12\/gophish-google-workplaces-sending-profile-tutorial\/\">this<\/a> one!<\/p>\n\n\n\n<p>P.S. if you voluntarily freeze your account.. it may take DAYS for your stuff to unfreeze, just fyi&#8230; very tedious. Also &#8211; we obviously did not conduct this attack, this is just a technical breakdown of what was done by the adversary.<br><br>Proper channel for reporting phishing emails to Robinhood is <a href=\"mailto:reportphishing@robinhood.com\">reportphishing@robinhood.com<\/a>.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>While their systems were not technically breached, on 4\/27\/2026, Robinhood sent out a swath of phishing emails, being fully signed from their own infrastructure. While phishing emails are not generally interesting, this one is, as the attacker used a novel technique to get these to deliver to the end user, bypassing spam detection, and utilizing [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36],"tags":[],"class_list":["post-1010","post","type-post","status-publish","format-standard","hentry","category-industry-news"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Poisoning Robinhood: HTML Injection via Metadata - Zinea InfoSec Blog<\/title>\n<meta name=\"description\" content=\"Explore how attackers bypassed SPF\/DKIM and BIMI checks by using HTML injection in Robinhood\u2019s account creation flow on 4\/27\/26. A deep dive into metadata poisoning and the Gmail dot trick.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Poisoning Robinhood: HTML Injection via Metadata - Zinea InfoSec Blog\" \/>\n<meta property=\"og:description\" content=\"Explore how attackers bypassed SPF\/DKIM and BIMI checks by using HTML injection in Robinhood\u2019s account creation flow on 4\/27\/26. A deep dive into metadata poisoning and the Gmail dot trick.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"Zinea InfoSec Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/zineausa\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-28T04:56:08+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-28T05:12:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/image.png\" \/>\n\t<meta property=\"og:image:width\" content=\"657\" \/>\n\t<meta property=\"og:image:height\" content=\"269\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Zinea\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ZineaLLC\" \/>\n<meta name=\"twitter:site\" content=\"@ZineaLLC\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Zinea\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2026\\\/04\\\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2026\\\/04\\\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\\\/\"},\"author\":{\"name\":\"Zinea\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#\\\/schema\\\/person\\\/e3c58d4f0650f7fb571c01fcf836b1d0\"},\"headline\":\"Poisoning Robinhood: HTML Injection via Metadata\",\"datePublished\":\"2026-04-28T04:56:08+00:00\",\"dateModified\":\"2026-04-28T05:12:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2026\\\/04\\\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\\\/\"},\"wordCount\":669,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2026\\\/04\\\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/image.png\",\"articleSection\":[\"Industry News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zineausa.com\\\/blog\\\/2026\\\/04\\\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2026\\\/04\\\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\\\/\",\"url\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2026\\\/04\\\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\\\/\",\"name\":\"Poisoning Robinhood: HTML Injection via Metadata - Zinea InfoSec Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2026\\\/04\\\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2026\\\/04\\\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/image.png\",\"datePublished\":\"2026-04-28T04:56:08+00:00\",\"dateModified\":\"2026-04-28T05:12:29+00:00\",\"description\":\"Explore how attackers bypassed SPF\\\/DKIM and BIMI checks by using HTML injection in Robinhood\u2019s account creation flow on 4\\\/27\\\/26. A deep dive into metadata poisoning and the Gmail dot trick.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2026\\\/04\\\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zineausa.com\\\/blog\\\/2026\\\/04\\\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2026\\\/04\\\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\\\/#primaryimage\",\"url\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/image.png\",\"contentUrl\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/image.png\",\"width\":657,\"height\":269},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/2026\\\/04\\\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Poisoning Robinhood: HTML Injection via Metadata\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/\",\"name\":\"Zinea InfoSec Blog\",\"description\":\"Cyber Security Resources\",\"publisher\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#organization\",\"name\":\"Zinea LLC\",\"url\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/05\\\/zinea-square.png\",\"contentUrl\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/05\\\/zinea-square.png\",\"width\":876,\"height\":876,\"caption\":\"Zinea LLC\"},\"image\":{\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/zineausa\\\/\",\"https:\\\/\\\/x.com\\\/ZineaLLC\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zineausa.com\\\/blog\\\/#\\\/schema\\\/person\\\/e3c58d4f0650f7fb571c01fcf836b1d0\",\"name\":\"Zinea\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g\",\"caption\":\"Zinea\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Poisoning Robinhood: HTML Injection via Metadata - Zinea InfoSec Blog","description":"Explore how attackers bypassed SPF\/DKIM and BIMI checks by using HTML injection in Robinhood\u2019s account creation flow on 4\/27\/26. A deep dive into metadata poisoning and the Gmail dot trick.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/","og_locale":"en_US","og_type":"article","og_title":"Poisoning Robinhood: HTML Injection via Metadata - Zinea InfoSec Blog","og_description":"Explore how attackers bypassed SPF\/DKIM and BIMI checks by using HTML injection in Robinhood\u2019s account creation flow on 4\/27\/26. A deep dive into metadata poisoning and the Gmail dot trick.","og_url":"https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/","og_site_name":"Zinea InfoSec Blog","article_publisher":"https:\/\/www.facebook.com\/zineausa\/","article_published_time":"2026-04-28T04:56:08+00:00","article_modified_time":"2026-04-28T05:12:29+00:00","og_image":[{"width":657,"height":269,"url":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/image.png","type":"image\/png"}],"author":"Zinea","twitter_card":"summary_large_image","twitter_creator":"@ZineaLLC","twitter_site":"@ZineaLLC","twitter_misc":{"Written by":"Zinea","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/#article","isPartOf":{"@id":"https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/"},"author":{"name":"Zinea","@id":"https:\/\/zineausa.com\/blog\/#\/schema\/person\/e3c58d4f0650f7fb571c01fcf836b1d0"},"headline":"Poisoning Robinhood: HTML Injection via Metadata","datePublished":"2026-04-28T04:56:08+00:00","dateModified":"2026-04-28T05:12:29+00:00","mainEntityOfPage":{"@id":"https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/"},"wordCount":669,"commentCount":0,"publisher":{"@id":"https:\/\/zineausa.com\/blog\/#organization"},"image":{"@id":"https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/image.png","articleSection":["Industry News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/","url":"https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/","name":"Poisoning Robinhood: HTML Injection via Metadata - Zinea InfoSec Blog","isPartOf":{"@id":"https:\/\/zineausa.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/#primaryimage"},"image":{"@id":"https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/image.png","datePublished":"2026-04-28T04:56:08+00:00","dateModified":"2026-04-28T05:12:29+00:00","description":"Explore how attackers bypassed SPF\/DKIM and BIMI checks by using HTML injection in Robinhood\u2019s account creation flow on 4\/27\/26. A deep dive into metadata poisoning and the Gmail dot trick.","breadcrumb":{"@id":"https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/#primaryimage","url":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/image.png","contentUrl":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2026\/04\/image.png","width":657,"height":269},{"@type":"BreadcrumbList","@id":"https:\/\/zineausa.com\/blog\/2026\/04\/breaking-down-the-robinhood-email-infrastructure-takeover-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zineausa.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Poisoning Robinhood: HTML Injection via Metadata"}]},{"@type":"WebSite","@id":"https:\/\/zineausa.com\/blog\/#website","url":"https:\/\/zineausa.com\/blog\/","name":"Zinea InfoSec Blog","description":"Cyber Security Resources","publisher":{"@id":"https:\/\/zineausa.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zineausa.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zineausa.com\/blog\/#organization","name":"Zinea LLC","url":"https:\/\/zineausa.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zineausa.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2018\/05\/zinea-square.png","contentUrl":"https:\/\/zineausa.com\/blog\/wp-content\/uploads\/2018\/05\/zinea-square.png","width":876,"height":876,"caption":"Zinea LLC"},"image":{"@id":"https:\/\/zineausa.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/zineausa\/","https:\/\/x.com\/ZineaLLC"]},{"@type":"Person","@id":"https:\/\/zineausa.com\/blog\/#\/schema\/person\/e3c58d4f0650f7fb571c01fcf836b1d0","name":"Zinea","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/81f66095634a4c974693824dc72cd0db7c7c44910d60dda2d1bf1be275ee107d?s=96&d=mm&r=g","caption":"Zinea"}}]}},"_links":{"self":[{"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/posts\/1010","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/comments?post=1010"}],"version-history":[{"count":5,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/posts\/1010\/revisions"}],"predecessor-version":[{"id":1019,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/posts\/1010\/revisions\/1019"}],"wp:attachment":[{"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/media?parent=1010"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/categories?post=1010"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zineausa.com\/blog\/wp-json\/wp\/v2\/tags?post=1010"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}