Commentary  ·  Cyber Security

When a trusted email address is not to be trusted

07/08/2025

You are hopefully getting pretty savvy now when it comes to emails purporting to be from legitimate senders. 

  • If the sending email address does not match the display name, that’s a giant clue that something is amiss; proceed with care.
  • If the email appears to have been sent by a trusted contact, with address matching display name, but the content seems off, it is possible that your correspondent has been hacked. PHONE them – don’t reply to the email – to alert them to the issue.
  • What about the situation shown in our screen print, though? It’s the authentic QuickBooks address used for sending out invoices.  Surely you would have been informed if QuickBooks had been hacked?

If you take a moment to analyse the email, you will note that it is not as real as it at first seems.

  • We have seen examples with invoices requiring payment via a link, but (so far) they have not been from vendors we recognise.
  • Most cover subject matter which does not relate to Intuit QuickBooks. Examples we have received include:
    • Microsoft 365 (as in our example)
    • DocuSign
    • RingCentral with a link to a voicemail
    • Microsof (no final T) Teams
    • eNotification (OneDrive)
    • Adobe document via QuickBooks – with QR code link
    • AT&T Business Voicemail
  • What they have in common is a link enticing you to click. Our antispam system helpfully posts a warning message about the link being malicious (highlighted in green), but you may not be so fortunate.

The normal reaction to receiving a spam/phishing email is to blacklist it.  Not a good move with these emails, however, as your legitimate vendors using QuickBooks will not be able to send you their invoices.  It might seem like an advantage to avoid receiving invoices, but you could soon find your essential services being cut off!

We use Barracuda antispam.  This can be educated to spot the features of the malicious QuickBooks emails whilst allowing the legitimate ones through.

How have the hackers managed to send out from quickbooks@notification.intuit.com, apparently using the approved IP addresses too?

It seems that cyber criminals are signing up for free trial QuickBooks accounts.  This gives them access to sending QuickBooks emails which they can then tailor for their nefarious purposes.

The moral of today’s story: emails can look legitimate but if something seems fishy, proceed with caution.  Using a good email filtering system like Barracuda can go a long way to staying safe too.

Share this entry