Holger Köpke got a USB stick (article in German) that supposedly is from data center equipment maker Rittal, unsolicited, in the mail. Of course he did not plug it into a device, it could be anything.
He then (from his first comment in the same article) set up a test VM on a scratch device, inserted the USB stick there and the stick identified not as USB memory, but as a USB HID, a keyboard. Seemed that he was right not to trust it. Sends a mail to Rittal explaining them why he thinks this is dangerous, and asks if this is indeed legit.
Gets a response (another article in German), a letter as a PDF sent by email.
Dear Mr Köpke,
first off thanks for your mail, which we are taking very seriously. We confirm that the letter in question is indeed a legit Rittal ad action. When choosing the contractor producing it we took great care to select a specialist for that. The contractor confirms that the sticks produced do not contain malware. We also checked that again, internally.
To leave the user a choice of using the stick or following the link manually, it is also printed on the mailing.
Again, thanks for the headsup. If you have more questions we are of course available.
There is so much to learn from all of this.