Print

Print


Agreed.  I've seen that actually more often.  Be sure to point out that you
need the headers of the original they received.

On Fri, Feb 10, 2017 at 9:04 AM, David McClellan <[log in to unmask]
> wrote:

> Not to discount the possibility of the account being compromised, but I'm
> with Bill Fitzgerald here. I'd check the headers of the sent mail, I'd be
> willing to bet the address was spoofed. Maybe have the recipients of the
> email forward it back to you to see what you can in the headers?
>
> Good luck,
>
> On Thu, Feb 9, 2017, 18:23 Bill Fitzgerald <[log in to unmask]> wrote:
>
> Also, just so the email address can't be spoofed, make sure that you have
> SPF, DKIM, and DMARC records set up.
>
> Cheers,
>
> Bill
>
> On Thu, Feb 9, 2017 at 12:55 PM, Scott Grant <[log in to unmask]> wrote:
>
> Most of these suggestions assume Google email accounts.  Here's what I'd
> suggest to summarize:
>
> Disable the account first! (already done)
> Review where the account had been logged into.  Get screen captures of the
> data.
> Change the password.
> Consider having the user leverage a second-factor for authentication.
> Reset sign in cookies as per another suggestion.
> Run AV on the user's computer(s).
> Ensure a level of password complexity for the new password.
> Re-enable the account.
> Review their Sent messages and ALL Mail views.  Also ensure they are
> receiving emails correctly.  Sometimes hackers will add a rule to GMail to
> archive all inbound messages.  This way, the owner doesn't see the delivery
> failures, etc.
>
> Verify where they access their email from.  Is it from home as well on a
> different computer?  Suggest they run AV there as well.
>
> That's the basics.
>
>
>
> On Thu, Feb 9, 2017 at 10:06 AM, Christine Gibson <[log in to unmask]>
> wrote:
>
> I would also suggest that you reset the sign-in cookies.  This will kick
> out anyone who may have been signed into the account.  Simply changing the
> password does not terminate all current sessions.  You can find the switch
> to reset the sign-in cookies under Account in the Google Admin Console.
>
>
> *Christine Gibson*
> *PowerSchool Data Manager*
> <https://mail.google.com/mail/u/0/#inbox>
> 49 Charles Avenue
> Middlebury, VT 05753
> *[log in to unmask]* <[log in to unmask]>
> 802-382-1720 <(802)%20382-1720>
>
> On Thu, Feb 9, 2017 at 10:01 AM, Raymond Ballou <[log in to unmask]> wrote:
>
> Edith
>
> Not sure why it doesn't list change password, but here are the suggestions
> from Google.
>
> https://support.google.com/a/answer/2984349?hl=en
>
>
> R
>
> -----------------------------------------------------------------------
>
> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT Archive
>
> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
> Subscription to SCHOOL-IT
>
>
> -----------------------------------------------------------------------
>
> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT Archive
>
> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
> Subscription to SCHOOL-IT
>
>
> -----------------------------------------------------------------------
>
> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT Archive
>
> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
> Subscription to SCHOOL-IT
>
>
> -----------------------------------------------------------------------
>
> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT Archive
>
> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
> Subscription to SCHOOL-IT
>
> --
> David McClellan
> Technology Support Specialist
> Chittenden East Supervisory Union
> Mobile: (802) 458 - 7327
> Backup Mobile: (802) 448 - 0329
>
> This e-mail may contain information protected under the Family Educational
> Rights and Privacy Act (FERPA). If this e-mail contains student information
> and you are not entitled to access such information under FERPA, please
> notify the sender. Federal regulations require that you destroy this e-mail
> without reviewing it and you may not forward it to anyone.
>
> -----------------------------------------------------------------------
>
> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT Archive
>
> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
> Subscription to SCHOOL-IT
>