I am the systems administrator for a "medium" sized business (about 800 employees, of which about 300 have email accounts).
At one point about a year or two ago, we were receiving around 20+ emails a day of "Fake invoices". Scammers who send fake invoices using the "trusted" email of "quickbooks @ notification . intuit . com", to try and get people to pay them for nothing.
As such, I just blocked that email entirely. Not one of my 300+ users can receive ANY email coming from that address (invoice, quote, receipt, nothing).
What I actually did, was setup, on my M365 tenant, a "transport rule" to redirect the email to a "quickbooksscam @ mydomain . com". I then setup, on M365 "Flows", to take any new email received to that address, extract the "rely-to" address (so that I can get the address of the "actual" sender), and then send a response saying something like:
"Due to numerous fake invoices received from a Quickbooks email account, we have blocked this address. If you want to send our company an invoice you will need to download the PDF and send it via your own email account. Or, I highly recommend finding a different invoice sofware other than Quickbooks."
Luckily, we don't use Quickbooks for our company, so I don't have to worry about this for any of OUR outgoing communications.
