Quickbooks trademark exploited in email scam

Posted by Emmanuel Marshall on 08 March 2018 12:10:49 AEDT

MailGuard has detected a new criminal-intent email designed to look like a Quickbooks invoice notification - see screenshot above.

The objective of this sort of scam is to get the recipient to click on a link in the email that would take them to an archived file containing malware. Once the victim’s computer is infected with malware it may be used by cybercriminals in a number of ways: to mount botnet attacks, run ransomware, spy on computer networks or launch further email scams.

There are a wide variety of compromised sender display names and addresses associated with this scam message. Some of the variants seen by MailGuard include:

  • From: "Ashtead Plant Hire Co Ltd" <purchase.ledger@dahaltechsolutions.com>
  • From: "Vicom Limited " <amy@imperialdiamondinternational.co.uk>
  • From: "Primat Recruitment Limited " <purchase.ledger@dahaltechsolutions.com>
  • From: "MDG Rail Ltd " <amy@imperialdiamondinternational.co.uk>
  • From: "Leslie J Thorpe Ltd " <amy@imperialdiamondinternational.co.uk>
  • From: "Ashtead Plant Hire Co Ltd" <finance@funmanvan.com>
  • From: "Real Skills Training Limited " <purchase.ledger@dahaltechsolutions.com>
  • From: "Eland Cables" <purchase.ledger@dahaltechsolutions.com>
  • From: "Keltbray Aspire Rail Ltd" <purchase.ledger@dahaltechsolutions.com>
  • From: "Outdoor Logistics UK Ltd " <billing@globalengineeringconsult.com>
  • From: "Fitzgerald Plant Services Ltd " <oliver.matthews@jinaco.com>
  • From: "RTG Rail Services" <oliver.matthews@jinaco.com>
  • From: "MDG Rail Ltd " <billing@globalengineeringconsult.com>
  • From: "Geo-Rope Ltd " <oliver.matthews@jinaco.com>
  • From: "Trainspeople Limited" <lister@multipetroleumandenergy.com>
  • From: "Starc Ltd " <purchase.ledger@dahaltechsolutions.com>
  • From: "BAM Nuttall Ltd " <lister@multipetroleumandenergy.com>
  • From: "GEOCISA UK LIMITED " <purchase.ledger@dahaltechsolutions.com>
  • From: "BAM Nuttall Ltd " <lister@multipetroleumandenergy.com>
  • From: "Balfour Beatty Rail Ltd " <lister@multipetroleumandenergy.com>
  • From: "Livis Limited " <lister@multipetroleumandenergy.com>
  • From: "Buffer Rail Ltd" <lister@multipetroleumandenergy.com>
  • From: "Express Medicals" <oliver.matthews@jinaco.com>
  • From: "Marshdale Construction Ltd " <purchase.ledger@dahaltechsolutions.com>
  • From: Intertrain <purchase.ledger@dahaltechsolutions.com>
  • From: "ALLSCAFF GB" <amy@imperialdiamondinternational.co.uk>
  • From: "Downwell Demolition Ltd " <lister@multipetroleumandenergy.com>

This email scam is quite well designed and is exploiting Quickbooks branding to convince victims that it an authentic notification email. If you see a message of this type in your inbox exercise extreme caution.



This is not the first scam of this type MailGuard has detected this year; this malicious email looks superficially similar to
two attacks MailGuard intercepted in February. 

The fact that this scam is so superficially similar to other Quickbooks brandjacking attacks MailGuard has seen, could indicate that the scams have been released by the same criminals, but because there are significant differences in the way the scams work, that is not necessarily the case. The criminals who launched these attacks could be using package deal scam-ware bought from Malware as a Service (MaaS) vendors on the dark web.

Malware as a service is a fast-growing phenomenon in the cybercrime world so it’s quite likely that these two emails are actually the work of different scammers using the same off-the-shelf malware package, bought from an underground vendor and then adapted for their own specific purposes.

You can read more about MaaS, and the way it is used by scammers in our blog post, here.


One email

Doing business online opens up opportunities for collaboration on an unprecedented level, but with that opportunity comes significant risk. Cybercriminals use simple scam emails to infiltrate organisations with malware and attack them from the inside.
All criminals need to break into your business is a cleverly worded email; if they can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive email security.
Talk to an expert at MailGuard today about making your company's network secure: click here.


Stay up-to-date with new posts on the MailGuard Blog by subscribing to free updates. Click on the button below:

Keep Informed with Weekly Updates



Topics: Malware QuickBooks email scams Threat Update

Back to Blog


Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Recent Posts

Posts by Topic

see all