
Mysterious bill from intuit

BernieC
Member ✭✭
I can't figure out what forum to use for this, so I'll take a shot here. I just received a very strange email. It is from "[email protected]" and it says "our invoice-254623 for $200.40 is attached. You now have the option to pay invoices online with a credit card.
Thank you for your business.
Sincerely,
Hunter Lambert" and the attached invoice is a Excel Spreadsheet [!] I have excel but I don't understand its vulnerabilities very well so I'm loath to just open the spreadsheet.
I've done some forensics on the email and it did, in fact, original from "notifications.intuit.com", but I don't have, and have never had, anything to do with quickbooks so I'm at a loss as to what to do with/about the email. Thanks!
Thank you for your business.
Sincerely,
Hunter Lambert" and the attached invoice is a Excel Spreadsheet [!] I have excel but I don't understand its vulnerabilities very well so I'm loath to just open the spreadsheet.
I've done some forensics on the email and it did, in fact, original from "notifications.intuit.com", but I don't have, and have never had, anything to do with quickbooks so I'm at a loss as to what to do with/about the email. Thanks!
0
Best Answer
-
Do not open the Excel spreadsheet and if you do not use Quickbooks, you can simply delete the email and consider the matter closed.
user since '92 | Quicken Windows Premier - Subscription | Windows 11 Pro version 22H2
5
Answers
-
Do not open the Excel spreadsheet and if you do not use Quickbooks, you can simply delete the email and consider the matter closed.
user since '92 | Quicken Windows Premier - Subscription | Windows 11 Pro version 22H2
5 -
While I agree completely with @GeoffG's suggestion, you might try asking this same question in the Quickbooks forum also.
Q user since DOS version 5
Now running Quicken Windows Subscription, Home & Business
Retired "Certified Information Systems Auditor" & Bank Audit VP0 -
This could be perfectly normal. I have one or two firms I do business with who bill me via Quickbooks, and I get emails like that. I don't use Quickbooks either, but the billers do. The billers can attach files to the email. I usually get PDF attachments with such bills.
Quicken user since version 2 for DOS, now using QWin Premier Subscription (US) on Win10 Pro.0 -
It is very risky to open an Excel spreadsheet without knowing its origin, and even then could pose significant risk. Excel spreadsheets can contain malicious code that can run malware.Not a good practice if that is what Quickbooks is using to convey invoices.
user since '92 | Quicken Windows Premier - Subscription | Windows 11 Pro version 22H2
0 -
I interpreted it to mean that the Vendor was using the Excel spreadsheet ... not that QB was causing that to be used.AND, if the OP is running a GOOD malware program, detaching and then opening the spreadsheet should be of minimal to negligible risk.Q user since DOS version 5
Now running Quicken Windows Subscription, Home & Business
Retired "Certified Information Systems Auditor" & Bank Audit VP0 -
Yes, it's the biller attaching the spreadsheet, not Quickbooks.Anyway, my understanding is that a normal .XLSX workbook is safe in current Excel versions. Malicious content lives in macros, which need to be in .XLSM files to execute. Furthermore, the user has to have enabled macros in the Excel Trust Center.The thing I would look at is the sender. I googled Hunter Lambert and got a variety of results. If you've done business with a Hunter Lambert, @BernieC, this is probably legitimate. If you haven't, it's possible this is a benign email which was incorrectly addressed.Quicken user since version 2 for DOS, now using QWin Premier Subscription (US) on Win10 Pro.0
-
[Duplicate post deleted]
Quicken user since version 2 for DOS, now using QWin Premier Subscription (US) on Win10 Pro.0 -
I've got my answer -- I opened excel and took a chance and tried to open the "invoice". It wouldn't open. Windows defender blocked it AND excel wasn't happy with it. So it was an attack. Since it was sent from the intuit.com domain, should I complain/warn them that there's something awry in their world?0
-
Have you tried asking over on the QB forum, to see if this is a known issue?
Q user since DOS version 5
Now running Quicken Windows Subscription, Home & Business
Retired "Certified Information Systems Auditor" & Bank Audit VP0 -
BernieC said:I've got my answer -- I opened excel and took a chance and tried to open the "invoice". It wouldn't open. Windows defender blocked it AND excel wasn't happy with it. So it was an attack. Since it was sent from the intuit.com domain, should I complain/warn them that there's something awry in their world?Good catch. Looks like they already know about this, but it wouldn't hurt to forward them the entire email with headers & attachments intact.
Quicken user since version 2 for DOS, now using QWin Premier Subscription (US) on Win10 Pro.0 -
They do -- it is the *exact* email that I received.. It is now deleted and forgotten. BUT -- it is a pretty clever forgery. I'm experienced with doing forensics on email and this one was cleverer than most.
Received: from [45.171.95.217] (dynamic-45-171-95-217.turbonetrecife.net.br [45.171.95.217])
by vade-backend7.dreamhost.com (Postfix) with ESMTP id D6306438487D5
for <[email removed]>; Mon, 4 May 2020 17:51:24 -0700 (PDT)
Received: from jwrg.o4.e.notification.intuit.com (jwrg.o4.e.notification.intuit.com [87.212.183.77])
by jwrg.o4.e.notification.intuit.com with ESMTP
The email claimed to be "from:" somebody at notification.intuit.com. And the last Received: stamp seems to indicate that it was actually sent from a system at notification.intuit.com. But look at the next Received stamp: it is a discontinuity and came to my incoming SMTP server from a site in brazil. Not from intuit after all.
Sneaky0
This discussion has been closed.