Mysterious bill from intuit
Thank you for your business.
Sincerely,
Hunter Lambert" and the attached invoice is a Excel Spreadsheet [!] I have excel but I don't understand its vulnerabilities very well so I'm loath to just open the spreadsheet.
I've done some forensics on the email and it did, in fact, original from "notifications.intuit.com", but I don't have, and have never had, anything to do with quickbooks so I'm at a loss as to what to do with/about the email. Thanks!
Best Answer
-
Do not open the Excel spreadsheet and if you do not use Quickbooks, you can simply delete the email and consider the matter closed.
5
Answers
-
Do not open the Excel spreadsheet and if you do not use Quickbooks, you can simply delete the email and consider the matter closed.
5 -
While I agree completely with @GeoffG's suggestion, you might try asking this same question in the Quickbooks forum also.
Q user since February, 1990. DOS Version 4
Now running Quicken Windows Subscription, Business & Personal
Retired "Certified Information Systems Auditor" & Bank Audit VP0 -
This could be perfectly normal. I have one or two firms I do business with who bill me via Quickbooks, and I get emails like that. I don't use Quickbooks either, but the billers do. The billers can attach files to the email. I usually get PDF attachments with such bills.
Quicken user since version 2 for DOS, now using QWin Premier (US) on Win10 Pro.
0 -
It is very risky to open an Excel spreadsheet without knowing its origin, and even then could pose significant risk. Excel spreadsheets can contain malicious code that can run malware.Not a good practice if that is what Quickbooks is using to convey invoices.0
-
I interpreted it to mean that the Vendor was using the Excel spreadsheet ... not that QB was causing that to be used.AND, if the OP is running a GOOD malware program, detaching and then opening the spreadsheet should be of minimal to negligible risk.
Q user since February, 1990. DOS Version 4
Now running Quicken Windows Subscription, Business & Personal
Retired "Certified Information Systems Auditor" & Bank Audit VP0 -
Yes, it's the biller attaching the spreadsheet, not Quickbooks.Anyway, my understanding is that a normal .XLSX workbook is safe in current Excel versions. Malicious content lives in macros, which need to be in .XLSM files to execute. Furthermore, the user has to have enabled macros in the Excel Trust Center.The thing I would look at is the sender. I googled Hunter Lambert and got a variety of results. If you've done business with a Hunter Lambert, @BernieC, this is probably legitimate. If you haven't, it's possible this is a benign email which was incorrectly addressed.
Quicken user since version 2 for DOS, now using QWin Premier (US) on Win10 Pro.
0 -
[Duplicate post deleted]
Quicken user since version 2 for DOS, now using QWin Premier (US) on Win10 Pro.
0 -
I've got my answer -- I opened excel and took a chance and tried to open the "invoice". It wouldn't open. Windows defender blocked it AND excel wasn't happy with it. So it was an attack. Since it was sent from the intuit.com domain, should I complain/warn them that there's something awry in their world?0
-
Have you tried asking over on the QB forum, to see if this is a known issue?
Q user since February, 1990. DOS Version 4
Now running Quicken Windows Subscription, Business & Personal
Retired "Certified Information Systems Auditor" & Bank Audit VP0 -
BernieC said:I've got my answer -- I opened excel and took a chance and tried to open the "invoice". It wouldn't open. Windows defender blocked it AND excel wasn't happy with it. So it was an attack. Since it was sent from the intuit.com domain, should I complain/warn them that there's something awry in their world?Good catch. Looks like they already know about this, but it wouldn't hurt to forward them the entire email with headers & attachments intact.
Quicken user since version 2 for DOS, now using QWin Premier (US) on Win10 Pro.
0 -
They do -- it is the *exact* email that I received.. It is now deleted and forgotten. BUT -- it is a pretty clever forgery. I'm experienced with doing forensics on email and this one was cleverer than most.
Received: from [45.171.95.217] (dynamic-45-171-95-217.turbonetrecife.net.br [45.171.95.217])
by vade-backend7.dreamhost.com (Postfix) with ESMTP id D6306438487D5
for <[email removed]>; Mon, 4 May 2020 17:51:24 -0700 (PDT)
Received: from jwrg.o4.e.notification.intuit.com (jwrg.o4.e.notification.intuit.com [87.212.183.77])
by jwrg.o4.e.notification.intuit.com with ESMTP
The email claimed to be "from:" somebody at notification.intuit.com. And the last Received: stamp seems to indicate that it was actually sent from a system at notification.intuit.com. But look at the next Received stamp: it is a discontinuity and came to my incoming SMTP server from a site in brazil. Not from intuit after all.
Sneaky0