Agreed.  I've seen that actually more often.  Be sure to point out that you need the headers of the original they received.

On Fri, Feb 10, 2017 at 9:04 AM, David McClellan <[log in to unmask]> wrote:
Not to discount the possibility of the account being compromised, but I'm with Bill Fitzgerald here. I'd check the headers of the sent mail, I'd be willing to bet the address was spoofed. Maybe have the recipients of the email forward it back to you to see what you can in the headers?

Good luck,


On Thu, Feb 9, 2017, 18:23 Bill Fitzgerald <[log in to unmask]> wrote:
Also, just so the email address can't be spoofed, make sure that you have SPF, DKIM, and DMARC records set up.

Cheers,

Bill

On Thu, Feb 9, 2017 at 12:55 PM, Scott Grant <[log in to unmask]> wrote:
Most of these suggestions assume Google email accounts.  Here's what I'd suggest to summarize:

Disable the account first! (already done)
Review where the account had been logged into.  Get screen captures of the data.
Change the password.
Consider having the user leverage a second-factor for authentication.
Reset sign in cookies as per another suggestion.
Run AV on the user's computer(s).
Ensure a level of password complexity for the new password.
Re-enable the account.
Review their Sent messages and ALL Mail views.  Also ensure they are receiving emails correctly.  Sometimes hackers will add a rule to GMail to archive all inbound messages.  This way, the owner doesn't see the delivery failures, etc.

Verify where they access their email from.  Is it from home as well on a different computer?  Suggest they run AV there as well.

That's the basics.  



On Thu, Feb 9, 2017 at 10:06 AM, Christine Gibson <[log in to unmask]> wrote:
I would also suggest that you reset the sign-in cookies.  This will kick out anyone who may have been signed into the account.  Simply changing the password does not terminate all current sessions.  You can find the switch to reset the sign-in cookies under Account in the Google Admin Console.

Christine Gibson

PowerSchool Data Manager
49 Charles Avenue
Middlebury, VT 05753
[log in to unmask]
802-382-1720

On Thu, Feb 9, 2017 at 10:01 AM, Raymond Ballou <[log in to unmask]> wrote:
Edith

Not sure why it doesn't list change password, but here are the suggestions from Google.



R

-----------------------------------------------------------------------

Search the SCHOOL-IT Archive

Manage your Subscription to SCHOOL-IT


-----------------------------------------------------------------------

Search the SCHOOL-IT Archive

Manage your Subscription to SCHOOL-IT


-----------------------------------------------------------------------

Search the SCHOOL-IT Archive

Manage your Subscription to SCHOOL-IT


-----------------------------------------------------------------------

Search the SCHOOL-IT Archive

Manage your Subscription to SCHOOL-IT

--
David McClellan
Technology Support Specialist
Chittenden East Supervisory Union
Mobile: (802) 458 - 7327
Backup Mobile: (802) 448 - 0329

This e-mail may contain information protected under the Family Educational Rights and Privacy Act (FERPA). If this e-mail contains student information and you are not entitled to access such information under FERPA, please notify the sender. Federal regulations require that you destroy this e-mail without reviewing it and you may not forward it to anyone. 

-----------------------------------------------------------------------

Search the SCHOOL-IT Archive

Manage your Subscription to SCHOOL-IT


-----------------------------------------------------------------------

Search the SCHOOL-IT Archive

Manage your Subscription to SCHOOL-IT