Mysterious bill from intuit

I can't figure out what forum to use for this, so I'll take a shot here. I just received a very strange email. It is from "[email protected]" and it says "our invoice-254623 for $200.40 is attached. You now have the option to pay invoices online with a credit card.
Thank you for your business.
Sincerely,
Hunter Lambert" and the attached invoice is a Excel Spreadsheet [!] I have excel but I don't understand its vulnerabilities very well so I'm loath to just open the spreadsheet.

I've done some forensics on the email and it did, in fact, original from "notifications.intuit.com", but I don't have, and have never had, anything to do with quickbooks so I'm at a loss as to what to do with/about the email. Thanks!

Best Answer

Answers

  • NotACPA
    NotACPA SuperUser, Windows Beta Beta
    While I agree completely with @GeoffG's suggestion, you might try asking this same question in the Quickbooks forum also.

    Q user since DOS version 5
    Now running Quicken Windows Subscription, Home & Business
    Retired "Certified Information Systems Auditor" & Bank Audit VP
  • Rocket J Squirrel
    Rocket J Squirrel SuperUser, Windows Beta ✭✭✭✭✭
    This could be perfectly normal. I have one or two firms I do business with who bill me via Quickbooks, and I get emails like that. I don't use Quickbooks either, but the billers do. The billers can attach files to the email. I usually get PDF attachments with such bills.
    Quicken user since version 2 for DOS, now using QWin Premier Subscription on Win10 Pro.
  • GeoffG
    GeoffG SuperUser ✭✭✭✭✭
    It is very risky to open an Excel spreadsheet without knowing its origin, and even then could pose significant risk. Excel spreadsheets can contain malicious code that can run malware.
    Not a good practice if that is what Quickbooks is using to convey invoices.
    user since '92 | Quicken Windows Premier - Subscription | Windows 10 Pro version 21H1
  • NotACPA
    NotACPA SuperUser, Windows Beta Beta
    edited May 2020
    I interpreted it to mean that the Vendor was using the Excel spreadsheet ... not that QB was causing that to be used.
    AND, if the OP is running a GOOD malware program, detaching and then opening the spreadsheet should be of minimal to negligible risk.
    Q user since DOS version 5
    Now running Quicken Windows Subscription, Home & Business
    Retired "Certified Information Systems Auditor" & Bank Audit VP
  • Rocket J Squirrel
    Rocket J Squirrel SuperUser, Windows Beta ✭✭✭✭✭
    Yes, it's the biller attaching the spreadsheet, not Quickbooks.
    Anyway, my understanding is that a normal .XLSX workbook is safe in current Excel versions. Malicious content lives in macros, which need to be in .XLSM files to execute. Furthermore, the user has to have enabled macros in the Excel Trust Center.
    The thing I would look at is the sender. I googled Hunter Lambert and got a variety of results. If you've done business with a Hunter Lambert, @BernieC, this is probably legitimate. If you haven't, it's possible this is a benign email which was incorrectly addressed.
    Quicken user since version 2 for DOS, now using QWin Premier Subscription on Win10 Pro.
  • Rocket J Squirrel
    Rocket J Squirrel SuperUser, Windows Beta ✭✭✭✭✭
    edited May 2020
    [Duplicate post deleted]
    Quicken user since version 2 for DOS, now using QWin Premier Subscription on Win10 Pro.
  • BernieC
    BernieC Member ✭✭
    I've got my answer -- I opened excel and took a chance and tried to open the "invoice". It wouldn't open. Windows defender blocked it AND excel wasn't happy with it. So it was an attack. Since it was sent from the intuit.com domain, should I complain/warn them that there's something awry in their world?
  • NotACPA
    NotACPA SuperUser, Windows Beta Beta
    Have you tried asking over on the QB forum, to see if this is a known issue?
    Q user since DOS version 5
    Now running Quicken Windows Subscription, Home & Business
    Retired "Certified Information Systems Auditor" & Bank Audit VP
  • Rocket J Squirrel
    Rocket J Squirrel SuperUser, Windows Beta ✭✭✭✭✭
    BernieC said:
    I've got my answer -- I opened excel and took a chance and tried to open the "invoice". It wouldn't open. Windows defender blocked it AND excel wasn't happy with it. So it was an attack. Since it was sent from the intuit.com domain, should I complain/warn them that there's something awry in their world?
    Good catch. Looks like they already know about this, but it wouldn't hurt to forward them the entire email with headers & attachments intact.

    Quicken user since version 2 for DOS, now using QWin Premier Subscription on Win10 Pro.
  • BernieC
    BernieC Member ✭✭
    edited May 2020
    They do -- it is the *exact* email that I received.. It is now deleted and forgotten. BUT -- it is a pretty clever forgery. I'm experienced with doing forensics on email and this one was cleverer than most.

    Received: from [45.171.95.217] (dynamic-45-171-95-217.turbonetrecife.net.br [45.171.95.217])
    by vade-backend7.dreamhost.com (Postfix) with ESMTP id D6306438487D5
    for <[email removed]>; Mon, 4 May 2020 17:51:24 -0700 (PDT)
    Received: from jwrg.o4.e.notification.intuit.com (jwrg.o4.e.notification.intuit.com [87.212.183.77])
    by jwrg.o4.e.notification.intuit.com with ESMTP

    The email claimed to be "from:" somebody at notification.intuit.com. And the last Received: stamp seems to indicate that it was actually sent from a system at notification.intuit.com. But look at the next Received stamp: it is a discontinuity and came to my incoming SMTP server from a site in brazil. Not from intuit after all.
    Sneaky
This discussion has been closed.