Enter your idea

Andrew,

You do not need to single me out. My intent was simply to make sure the issue was reported to the correct department so it can be addressed through the proper channels. If nothing is done after that, then the responsibility falls on them, not on us when our clients are impacted.

I also think the conversation had started to drift into complaints rather than solutions. As IT professionals, it is important that we help guide issues through the correct process instead of just venting in a forum where the people reading may not be the ones who can actually fix the problem. The only reason I spoke up was because of the ongoing complaints and the comment that the individual ran an IT security company. With over 25 years in the IT field, I have rarely seen situations where IT professionals were unwilling to at least try to move an issue forward in a constructive way.

That is why I contacted Xero directly and shared their response, so we could get the discussion back on track and focused on what can actually be done. I was also personally receiving multiple spam messages related to this issue, which is another reason I felt it was worth addressing.

We should be able to use our own domains, and this type of risk is not unique to Xero. QuickBooks has similar limitations, and we see the same types of attacks there as well, including spoofed domains and look-alike registrations. I had a customer recently where a bad actor registered a domain with a single extra letter added in the middle of the name. The customer’s client did not notice the difference, and the issue was only caught after I reviewed the messages. That situation ended up being reported to ICANN after we confirmed the domain was being used maliciously.

My point is that these are real security concerns, and the correct response is to report them through the proper channels so something can actually be done, not just complain about them in a forum.

If you want to single me out, that is your choice, but I will respond when I feel it is necessary to clarify my position.

@Dennis et all

Xero does have a security reporting pathway for reporting Phishing attempts / attacks.
Please use it instead of spamming the emails of all 412 people that have supported this Product Idea.
BTW. This is not a FORUM for back and forward discussion. We can all agree that EMAIL security is a world wide issue that is not readily or easily solved.

Report the Phising and stop the whinging !!

https://www.xero.com/au/security/

100% agree Christopher. I also run an small IT company. Xero know. Xero don't care. Spreading awareness is all you can really do, and that's what you're doing. Thanks!

Once again, I dont work for Xero. If a company specializing in finance (Xero) is stupid enough to allow anybody who signs up for an account to send invoices from the same address as legitimate customers then I am going no further than raising it in their forum. Which I did, and this is that forum. hence you are seeing it. I am not going to spend hundreds of hours trying to tell a company how naughty they are for not doing the job properly. Firstly it wont get anywhere as they already know and secondly I am not a charity for rich global enterprises cutting corners on cyber security.

You seem to think Xero dont know about this, the chances of that are 0%. Xero know, and are not interested as they will claim those defrauded should not have paid an invoice from a shared email address.

This gets treated as any other phishing email does. Marked as fraud to teach the junk filters at Microsoft to block it.

Dennis - I emailed spoofing@xero.com, and got a similar response.

There does seem to be two main issues:-

1. Criminals are setting up Xero for fake companies, and sending out invoices from Xero, in the hope that people will just pay the invoice. This is difficult to stop, unless Xero insists on Companies House Registration details etc when creating an account, but even that can be fudged. Presumably the same thing is happening from Quickbooks and other systems.
Gavin suggested that FREE accounts could possibly have emails sent from a different domain. That might help genuine companies, but the reputation of post.xero.com is probably already irredeemably damaged. The only solution is to enable companies to use their own email server - Something which Xero is apparently very belatedly now looking at.

2. There appear to be random emails that are NOT related to invoices etc, which are being received from what APPEARS to be the Xero domain. If the SPF/DMARC verification is somehow being bypassed, then security@xero.com definitely need to know, and have as much evidence as possible. If the originating server info is being spoofed, that is much more difficult to stop. Again though, if our GENUINE invoice are no longer associated with post.xero.com then it won't matter so much.

@Christopher: What people are asking is that if you can definitively prove that scammers are using the Xero platform to send phishing emails, report it to xero and/or a relevant government authority that will put pressure on Xero to fix this issue. The US government doesn't give a rats *** about this, especially now that it's run by scammers. But the UK government seems to, from what I'm gathering from the other comments. If you don't want to deal with it, share the information so others can.

I have not seen what you're describing, though I have received several phishing emails that were clearly NOT sent through Xero, instead they were spoofing post.xero.com so that it looked like it was coming from there. But the emails themselves had links to sites that were not "in.xero.com" -- the domain That Xero invoices use for viewing/paying an invoice online.

If you are seeing actual, legit emails sent BY xero on behalf of scammers, reporting it is not just a good idea, you should feel obligated to. If you feel no sense of duty to report it, then at minimum it's something you should do simply because it affects your use of the platform. Why should you have to pay for or maintain a third party system to send invoices from ...wait for it... invoicing software.

The fact that this is talked about a lot here a lot is meaningless. I think we all know that Xero doesn't pay attention to this suggestions portal, it's here to make us feel like they are. Other channels, such as reporting Xero to an authority that could actually have an effect on their bottom line, may be the only way to get this problem addressed.

For anyone following this thread, I reached out directly to Xero through their phishing / security reporting channel to ask what the correct escalation path is outside of the forum and normal support tickets.

This is the response I received from Xero’s security team. They confirmed that these reports should be sent to their security team and provided the addresses they want incidents forwarded to so they can investigate and take action:

security@xero.com

They also stated that their security team reviews the headers and takes steps to prevent similar emails being sent in the future when they have enough information to investigate.

Based on that response, there does appear to be a proper escalation path for these cases beyond forum posts, and it sounds like the correct process when these emails are seen is to forward the message with headers to their security team so they can review the tenant or account that sent it.

Putting the issue only in a forum is not really a proper escalation path. A forum is useful for discussion and awareness, but it is still just a complaint thread and may not reach the security team or the people who can actually investigate the problem. In many cases the people reading or replying in the forum are not part of Xero’s security or engineering teams, so the issue may never be reviewed at the level needed to make changes.

I understand the concern about volume, especially if you are seeing a lot of these across multiple clients, but since these messages are coming from Xero’s own sending service and passing SPF / DMARC, this seems like one of the situations where reporting it through their security channel makes more sense than treating it like a normal spam sender.

At least this gives us a confirmed path from Xero on how they want these incidents handled instead of assuming nothing can be done.

We absolutely will correctly mark them as phishing. The security of Xero is not something of my concern, they are not my client and I am here to protect my clients. Xero have been informed many times on this thread anybody can sign up and send invoices from their email address, huge amounts of those invoices are simply pretending to be from other companies. Its really not hard to figure out, and is not technical whatsoever. The fraudsters know many companies use Xero and thus send out fake invoices from Xero accounts, I dont really get whats hard to understand about this? The chances Xero dont know about this are about 0%, they are not interested.

Anybody thinking I am going to spend the next 3 years trying to tell Xero this is a bad idea is absolutely insane, every single reply on this thread tells Xero its a bad idea to let anybody sign up to an account and send invoices from the same email as legitimate clients.

Xero have no interest in this, they just say its not their problem if somebody pays an invoice they shouldnt have.

I dont really see why people think I should make it my life long mission to get Xero to change their mind, rather than just block this Xero address. Why by the way, many other IT / Cyber security providers also block this and its probably the number 1 known fraud address globally as it opens an easy path to payments.

I could sign up to Xero tomorrow with a pretend company and send out invoices and see who pays, its so easy. Like I said, Xero already know. No sympathy for them of people blocking their emails.

Christopher - Up until today, I had always assumed that the problem was with criminals spoofing the originating email address. If they are genuinely using Xero's email server to send SPAM, then that is a SERIOUS issue, and needs to be dealt with URGENTLY. I have seen emails that have been SPOOFED, but not from a hacked Xero email service.

I agree with Dennis - This needs escalating, either to Xero, or to NCSC. if you have relevant evidence, then by just sitting on it you are not helping to stop the problem. If you have definite information that the SPF/DMARC has been hacked, then NCSC need to know.

Just marking all emails from Xero as SPAM makes it even more difficult for those who do NOT have the technical expertise to use add-on systems.

I agree with the diagnosis that it is passing SPF/DMARC. They are also allowing the messages on a subdomain used for financial comms.

If the reason for not tackling it is to allow free trials, they could at least bump free accounts onto a different subdomain.

I understand the appropriate action is to forward any examples as an attachment to phishing@xero.com

For such a major vendor and persistent security issue, it could go to the National Cyber Security Centre (NCSC) in the UK - see if they can communicate with Xero about it.

Good luck with that and enjoy. We had 335 fraud emails today across 2000 people, and they are the ones reported. I wont be using my 11 staff to spend their entire working year chasing 335 new vendors each day.

If a vendor cant secure their system they are on the blacklist. End of.

Thanks, and I wish you all a good day.

Can Xero clarify what escalation path you recommend for reporting suspected fraud or platform abuse outside of the normal support ticket process?

Forum discussions and standard tickets don’t always reach the team responsible for security review, and in cases where emails are being sent through Xero’s messaging service and passing SPF / DMARC, it would be helpful to know the correct channel to report this so it can be reviewed by the appropriate security or abuse team.

If there is a dedicated contact, abuse address, or incident-response process that partners and IT providers should use for situations like this, please provide that information so these reports can be submitted through the proper path instead of only being raised in forum threads.

Christopher,

Complaints on the forum by themselves don’t fix the underlying issue, I agree with that. My point was that if the concern is serious enough that you are blocking an entire vendor sending domain across client environments, then the discussion should move beyond forum posts and into a proper escalation path with the vendor. Forum threads are useful for awareness, but they are not the same as reporting a security incident through the channels vendors use for abuse, fraud, or incident response.

If Xero truly considers the behavior expected, then the right place to challenge that is through their security or abuse reporting process, not just community discussions. Most platforms have a separate escalation path for fraud, spoofing, or platform abuse that goes beyond normal support tickets, and that is typically how these kinds of issues actually get reviewed by the people who can make changes.

From my side, the reason I questioned this is because blocking an entire service like post.xero.com at the client level treats the symptom but does not address the source. I understand why you would do it to protect clients in the short term, but long-term that approach just shifts the problem instead of resolving it. Blocking symptoms without reporting the cause does not improve security, it just moves the problem somewhere else.

Great, you mean like this never ending thread of responses of people telling Xero how insecure their platform is allowing anybody to send emails from Xero and Xero responding saying its not an issue. E.g. they already know these Xero emails are not secure so I see no point to this.

Anybody receiving these emails has already raised / followed the cyber security issue with Xero. Xero are not interested, if they was we wouldnt have them blocked on every client system due to high risk fraud.

I also want to address the comment about “virtue signaling,” because that does not apply to what I said. Virtue signaling is when someone makes a statement purely to appear morally superior or to gain approval, without any real intent to solve the problem. That is not what I am doing here. My response was based on standard incident-handling practice that we use in the IT industry every day.

When a system is believed to be insecure, compromised, or being abused to send messages, the normal process is to notify the source with enough technical detail for them to investigate. That is not trying to fix the world, and it is not trying to make a point — it is simply how root-cause resolution works. We do this regularly when other companies’ tenants, mail systems, or domains are used to send malicious or suspicious messages to our clients. We contact their IT or security team, provide headers/logs, and let them handle it on their side.

In this case, the concern raised was about Xero’s sending platform. If that platform is considered insecure or untrustworthy, then reporting the behavior to the vendor with the data you already have would be the normal and professional step, especially for a company that provides IT security services. That is not virtue signaling — that is basic escalation and responsible handling of a security concern.

It may also make sense to ask Xero what escalation path they recommend for security-related incidents outside of normal support, so situations like this can be reported through the proper channel instead of only working through standard ticketing. Most vendors have abuse, security, or incident response contacts specifically for this reason.

I agree that our priority is to protect our own clients, and we do the same. But part of protecting clients is addressing the source when possible, not only putting local restrictions in place and leaving the underlying issue unresolved. Blocking symptoms without reporting the cause does not improve security, it just moves the problem somewhere else, and increases the chance that the same issue will continue to affect other companies as well.

Great, go and knock on Xero's door then and tell their CISO they have insecure platform and you will fix all their issues for them. Then repeat it for every company in the world with an insecure issue.

Then when finished virtue signaling go and actually look after your clients

Christopher,

As an IT services provider myself, I deal with these situations regularly. When one of my clients receives suspicious or malicious emails from another company, I contact that company directly to let them know their account has likely been compromised so they can correct the issue on their end. Once notified, the expectation is that their IT or security team takes ownership of the problem, investigates the breach, secures the account, and confirms that the threat has been contained.

In this case, since you are not contacting Xero directly, they may not even be aware that their system or domain is being used in a way that is causing issues for others. As an IT security company, you are in a position to provide them with message headers, logs, timestamps, and other technical details that most normal businesses would not know how to gather or send. Sharing that information is part of responsible incident handling and helps stop the problem at the source instead of only working around it.

While I agree that we should be able to use our own domain without restrictions, the lack of ownership being taken here is concerning. When a security-focused IT provider sees activity that appears malicious or compromised, the standard practice is to notify the source, provide the evidence, and work to have the root cause corrected. Simply blocking or refusing communication without escalating it to the affected vendor does not resolve the underlying issue and allows the problem to continue.

From our side, we will continue to secure our environment as needed, but the responsibility for reporting and working with the sending platform falls on the party that identified the security concern, especially when that party is an IT security provider.

Why would I do that? We provide cyber services to our clients, if Xero have an issue with Fraud its not my problem. We get hundreds of things like this a day, Xero are not our client. We use Xero for our finances but a third party sends our invoices for us. More simply raising awareness here as a small cyber security provider, we block the post.xero address in our client systems as it is a known fraud address.

Christopher - If that is the case, then have you had direct discussions with Xero?? I know that it is not easy to get hold of them, but it is possible....

Tim - I am not a fan of these long trails however the emails certainly are being sent from Xero systems. They match the SPF records exactly. The spammers simply sign up for a xero account and then send the spam.

We investigate these xero fraud emails weekly as a cyber security company, they nearly always match the SPF and DMARC and pass. If you dont know what these are then just take it from me, they are sent from Xero.