Agreed. I've seen that actually more often. Be sure to point out that you need the headers of the original they received. On Fri, Feb 10, 2017 at 9:04 AM, David McClellan <[log in to unmask] > wrote: > Not to discount the possibility of the account being compromised, but I'm > with Bill Fitzgerald here. I'd check the headers of the sent mail, I'd be > willing to bet the address was spoofed. Maybe have the recipients of the > email forward it back to you to see what you can in the headers? > > Good luck, > > On Thu, Feb 9, 2017, 18:23 Bill Fitzgerald <[log in to unmask]> wrote: > > Also, just so the email address can't be spoofed, make sure that you have > SPF, DKIM, and DMARC records set up. > > Cheers, > > Bill > > On Thu, Feb 9, 2017 at 12:55 PM, Scott Grant <[log in to unmask]> wrote: > > Most of these suggestions assume Google email accounts. Here's what I'd > suggest to summarize: > > Disable the account first! (already done) > Review where the account had been logged into. Get screen captures of the > data. > Change the password. > Consider having the user leverage a second-factor for authentication. > Reset sign in cookies as per another suggestion. > Run AV on the user's computer(s). > Ensure a level of password complexity for the new password. > Re-enable the account. > Review their Sent messages and ALL Mail views. Also ensure they are > receiving emails correctly. Sometimes hackers will add a rule to GMail to > archive all inbound messages. This way, the owner doesn't see the delivery > failures, etc. > > Verify where they access their email from. Is it from home as well on a > different computer? Suggest they run AV there as well. > > That's the basics. > > > > On Thu, Feb 9, 2017 at 10:06 AM, Christine Gibson <[log in to unmask]> > wrote: > > I would also suggest that you reset the sign-in cookies. This will kick > out anyone who may have been signed into the account. Simply changing the > password does not terminate all current sessions. You can find the switch > to reset the sign-in cookies under Account in the Google Admin Console. > > > *Christine Gibson* > *PowerSchool Data Manager* > <https://mail.google.com/mail/u/0/#inbox> > 49 Charles Avenue > Middlebury, VT 05753 > *[log in to unmask]* <[log in to unmask]> > 802-382-1720 <(802)%20382-1720> > > On Thu, Feb 9, 2017 at 10:01 AM, Raymond Ballou <[log in to unmask]> wrote: > > Edith > > Not sure why it doesn't list change password, but here are the suggestions > from Google. > > https://support.google.com/a/answer/2984349?hl=en > > > R > > ----------------------------------------------------------------------- > > Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT Archive > > Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your > Subscription to SCHOOL-IT > > > ----------------------------------------------------------------------- > > Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT Archive > > Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your > Subscription to SCHOOL-IT > > > ----------------------------------------------------------------------- > > Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT Archive > > Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your > Subscription to SCHOOL-IT > > > ----------------------------------------------------------------------- > > Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT Archive > > Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your > Subscription to SCHOOL-IT > > -- > David McClellan > Technology Support Specialist > Chittenden East Supervisory Union > Mobile: (802) 458 - 7327 > Backup Mobile: (802) 448 - 0329 > > This e-mail may contain information protected under the Family Educational > Rights and Privacy Act (FERPA). If this e-mail contains student information > and you are not entitled to access such information under FERPA, please > notify the sender. Federal regulations require that you destroy this e-mail > without reviewing it and you may not forward it to anyone. > > ----------------------------------------------------------------------- > > Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT Archive > > Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your > Subscription to SCHOOL-IT >