Intuit QuickBooks $722 Invoice Phishing Campaign
A detailed investigation into the QuickBooks $722 invoice phishing campaign using salesquick.com as a reply-to domain. While the site is technically a parked domain, its use in phishing makes it high-risk.
If you’ve just received a $722.18 invoice from QuickBooks, you’re not alone — and no, you didn’t misclick yourself into financial trouble. This is a widespread phishing campaign targeting inboxes daily.
At first glance, the email looks convincing: it comes from Intuit (the company behind QuickBooks), includes professional formatting, and passes SPF, DKIM, and DMARC checks. However, closer inspection shows it is not a legitimate invoice, but a carefully crafted scam designed to trick recipients into replying and interacting with attackers.
This report explores how the scam works, the red flags, the technical analysis, and the broader implications for security.
How the Scam Presents Itself
The email typically arrives with a subject line like:
“Invoice – Here is automated receipt #MCA-83653846 for business account”
It appears to come from quickbooks@notification.intuit.com, a domain that most users recognize as Intuit.
The body of the email claims that the recipient owes $722.18 for Microsoft 365 Business Premium and that payment is due immediately — on the same day the invoice arrives.
While the links inside the email are valid and direct to Intuit.com, there are no attachments. This makes the scam subtle: it does not rely on malicious downloads but instead focuses on social engineering via email interaction.
The real danger lies in the Reply-To field. Responding to the email redirects replies to salesquick.com, a lookalike domain of the legitimate payments provider salequick.com. Attackers can then use that communication channel to attempt fraud, request further sensitive information, or direct the victim to malicious links or attachments.
Red Flags and Indicators of Phishing
Even though the email appears legitimate, several details signal phishing:
- Reply-to mismatch: Replies do not go to Intuit but are redirected to
salesquick.com. A real invoice would not use a bulk, mismatched reply address. - Urgency and pressure: The invoice is due the same day, attempting to create panic and prompt immediate action.
- Branding issues: Microsoft logos are imperfect, with visual distortions like black lines where whites should appear.
- Unrealistic pricing: Microsoft 365 Business Premium does not cost $722, indicating a fabricated invoice.
- Domain impersonation: The attackers are exploiting a domain similar to the legitimate
salequick.comto trick recipients.
Spoofed Email or Compromised Intuit Domain?
At first glance, it looks like spoofing. However, Intuit.com domain passes checks so it’s not a typical spoofing case. DMARC checks shows the sender is technically correct:
Authentication-Results: mail.protonmail.ch; dmarc=pass (p=reject dis=none)
header.from=notification.intuit.com
Authentication-Results: mail.protonmail.ch; spf=pass smtp.mailfrom=frdes13.onmicrosoft.com
That suggests attackers may be exploiting a misconfiguration within Intuit systems. Interestingly, the Reply-To is a different domain – salesquick.com:
From: Invoice <quickbooks@notification.intuit.com>
List-Unsubscribe: https://intuit.com/unsubscribe/page.htm?uid=752b7e8d-764f-4a0b-8a34-9eb2bda33323
Mime-Version: 1.0
Subject: Invoice - Here is automated receipt #MCA-83653846 for business account
X-Accept-Language: en
X-Sendername-Clientid: 752b7e8d-764f-4a0b-8a34-9eb2bda33323
Message-Id: <avy6lmfHQ-Wrzv2rxsy5Zg@geopod-ismtpd-4>
Reply-To: reply@salesquick.com
This is a strong indicator of impersonation. The attackers are mimicking salequick.com, a legitimate and well-established payments provider registered in 2004. However, the domain actually used is salesquick.com — a subtle typo that is easy to overlook. Interestingly, despite being fraudulent in this context, ScamRaven shows it as an aged domain with a clean reputation: salesquick.com report.
Because SPF and DKIM pass for Intuit.com, there are two possibilities: either the attackers are exploiting a misconfiguration within Intuit’s infrastructure, or they are using an advanced spoofing technique that is not easily detectable. Either way, this confirms the email is malicious and should not be trusted.
Community and Public Reports
Discussion around this phishing campaign has appeared on Reddit and other security forums. Notably:
- Reddit QuickBooks phishing discussion shows confusion among users and security professionals regarding whether the emails are spoofed or sent through Intuit’s infrastructure.
- Community consensus indicates the scam is active and deceptive, and involves
salesquick.comas a key component.
Why This Scam Matters
Unlike traditional phishing campaigns that rely on links, malware, or obvious errors, this attack is subtle and sophisticated:
- Uses a trusted brand (Intuit/QuickBooks).
- Passes SPF, DKIM, and DMARC checks.
- Links point to legitimate Intuit pages.
- Exploits the Reply-To field and a lookalike domain to engage victims directly.
This method bypasses many technical detection systems and relies heavily on human vigilance.
Recommended Actions
If you receive a similar email:
- Do not reply. The reply-to domain is controlled by attackers.
- Do not pay. The invoice is fake; Microsoft 365 is far cheaper.
- Report it. Forward the email to Intuit’s phishing team or your IT/security department.
- Delete it. Remove the message from your mailbox to avoid accidental interaction.
- Educate colleagues. Especially those handling invoices or financial tasks.
Summary and Verdict
This is a phishing campaign leveraging Intuit’s infrastructure and reply-to domain trickery:
- The invoice is fake and uses a fabricated price to prompt urgency.
salesquick.comis used to impersonate a legitimate payments provider (salequick.com).- Technical authentication checks may pass, but the email is malicious in intent.
Verdict: Suspicious
Even though salesquick.com itself appears safe as a parked domain, its exploitation in an ongoing phishing campaign marks it as high-risk. Users should exercise caution and follow best practices for reporting and handling suspicious emails.