Forgive my ignorance, but what can I tell from the headers?  I can honestly say that I don't even know what part is the "header."  Below is what I received.

Delivered-To: [log in to unmask]
Received: by 10.157.12.155 with SMTP id b27csp265855otb;
        Thu, 9 Feb 2017 05:36:05 -0800 (PST)
X-Received: by 10.129.118.77 with SMTP id j13mr2242697ywk.270.1486647365266;
        Thu, 09 Feb 2017 05:36:05 -0800 (PST)
Return-Path: <[log in to unmask]>
Received: from mail-yw0-x244.google.com (mail-yw0-x244.google.com. [2607:f8b0:4002:c05::244])
        by mx.google.com with ESMTPS id p193si504832ybg.263.2017.02.09.05.36.05
        for <[log in to unmask]>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 09 Feb 2017 05:36:05 -0800 (PST)
Received-SPF: neutral (google.com: 2607:f8b0:4002:c05::244 is neither permitted nor denied by best guess record for domain of [log in to unmask]) client-ip=2607:f8b0:4002:c05::244;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@beschool-org.20150623.gappssmtp.com;
       spf=neutral (google.com: 2607:f8b0:4002:c05::244 is neither permitted nor denied by best guess record for domain of [log in to unmask]) smtp.mailfrom=[log in to unmask]
Received: by mail-yw0-x244.google.com with SMTP id u68so284402ywg.0
        for <[log in to unmask]>; Thu, 09 Feb 2017 05:36:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=beschool-org.20150623.gappssmtp.com; s=20150623;
        h=mime-version:from:date:message-id:subject:to;
        bh=p8Q4mmR+ZloPt9MxTFU4D0BK5NEE720i2AzPZhYs5ts=;
        b=st87TXF/ZxLcW7kIQZn+sBP4CdwcPjxDGzme9bau3NMOwANTBIrDeM/9wDjVZR2knW
         SbIROFvItRmOo2svQ/jXdNAu8r17xM0A/0zioX58PdORI/mqSR9Zog+b9oy+jo5KUAnd
         sX5vxcW8Gec4a+Ls4eqKS+WsRDugYZIqKjFx4NQR5ksDZvVWNmh16izB0TGlOIAS+CO7
         Ztp2P17vI9TOy9HaSVVNvNyiQZO5FqwkLdprdrjy0UqKjAaM7yjgIU1b7qQLeyHDv/Ln
         sHb9yM/WGC4XPEprUml9D3keYU25MMsuOCdN4vQ97tKOkCVPqcHFnipUc7Fig19mqiG4
         GU/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=p8Q4mmR+ZloPt9MxTFU4D0BK5NEE720i2AzPZhYs5ts=;
        b=gDgAnHh7seW5/ZpkNZH2tJGiRsDkAqkyCalfsM+XyV/3FSk+C1Hk88LAKPuGhhdoyD
         92OjwtonWKrGdA0QlAnZ6xm7Ki++21Qk1HjiGsgfsxntQb9c2ty99k6lNX/BKuOYAz9b
         SyGR/MjJPPFV+1ttJ5dPW9nYtHoIJAwbFxM15mu8i5d0aXBnjIjvnwHic3zAwhU6a1pK
         zaxJuhp/B1rbeAHCAhNeQxNliRQirPRImYU8IFuf0i1/OHQwDcaKIM1cW1BiSWl3Rej5
         5GfucJbUpPmNyo0/dIoakgJ4AKoKcAu5IlCj5wtuvljJIB0foXfgNQ/ZH8Ve9kB0CNfg
         Ji4Q==
X-Gm-Message-State: AMke39meRKrQIlBCi/b1td+HPKj1LNmo6fARAfngy0QKa4QBRglJK37maSp67CZvRG3jUVcoyfPq/Ci+Axh+k7cPbGo=
X-Received: by 10.129.152.77 with SMTP id p74mr2064320ywg.177.1486647364611; Thu, 09 Feb 2017 05:36:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.123.7 with HTTP; Thu, 9 Feb 2017 05:36:01 -0800 (PST)
From: Cathy Roberts <[log in to unmask]>
Date: Thu, 9 Feb 2017 05:36:01 -0800
Message-ID: <[log in to unmask]>
Subject: Secured Message
To: undisclosed-recipients:;
Content-Type: multipart/mixed; boundary=94eb2c0bbf5613479005481910fc
Bcc: [log in to unmask]

--94eb2c0bbf5613479005481910fc
Content-Type: multipart/alternative; boundary=94eb2c0bbf5613478b05481910fa

--94eb2c0bbf5613478b05481910fa
Content-Type: text/plain; charset=UTF-8

Please see attached document for your review.


Thanks

--94eb2c0bbf5613478b05481910fa
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><span style=3D"font-size:12.8px;line-height:normal">Please=
 see attached document for your review.</span><br style=3D"font-size:12.8px=
;line-height:normal"><br style=3D"font-size:12.8px;line-height:normal"><br =
style=3D"font-size:12.8px;line-height:normal"><span style=3D"font-size:12.8=
px;line-height:normal">Thanks</span><br></div>

--94eb2c0bbf5613478b05481910fa--
--94eb2c0bbf5613479005481910fc
Content-Type: application/pdf; name="Document2017-09-02-075055.pdf"
Content-Disposition: attachment; filename="Document2017-09-02-075055.pdf"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_iyyffr0t0


--94eb2c0bbf5613479005481910fc--

Edith Fogarty
Technology Integration Facilitator
Bradford Elementary School
143 Fairground Rd
Bradford, VT 05033
802.222.4077 x281
802.222.5196 fax
 

On Fri, Feb 10, 2017 at 9:12 AM, Scott Grant <[log in to unmask]> wrote:
Agreed.  I've seen that actually more often.  Be sure to point out that you need the headers of the original they received.

On Fri, Feb 10, 2017 at 9:04 AM, David McClellan <[log in to unmask]> wrote:
Not to discount the possibility of the account being compromised, but I'm with Bill Fitzgerald here. I'd check the headers of the sent mail, I'd be willing to bet the address was spoofed. Maybe have the recipients of the email forward it back to you to see what you can in the headers?

Good luck,


On Thu, Feb 9, 2017, 18:23 Bill Fitzgerald <[log in to unmask]> wrote:
Also, just so the email address can't be spoofed, make sure that you have SPF, DKIM, and DMARC records set up.

Cheers,

Bill

On Thu, Feb 9, 2017 at 12:55 PM, Scott Grant <[log in to unmask]> wrote:
Most of these suggestions assume Google email accounts.  Here's what I'd suggest to summarize:

Disable the account first! (already done)
Review where the account had been logged into.  Get screen captures of the data.
Change the password.
Consider having the user leverage a second-factor for authentication.
Reset sign in cookies as per another suggestion.
Run AV on the user's computer(s).
Ensure a level of password complexity for the new password.
Re-enable the account.
Review their Sent messages and ALL Mail views.  Also ensure they are receiving emails correctly.  Sometimes hackers will add a rule to GMail to archive all inbound messages.  This way, the owner doesn't see the delivery failures, etc.

Verify where they access their email from.  Is it from home as well on a different computer?  Suggest they run AV there as well.

That's the basics.  



On Thu, Feb 9, 2017 at 10:06 AM, Christine Gibson <[log in to unmask]> wrote:
I would also suggest that you reset the sign-in cookies.  This will kick out anyone who may have been signed into the account.  Simply changing the password does not terminate all current sessions.  You can find the switch to reset the sign-in cookies under Account in the Google Admin Console.

Christine Gibson

PowerSchool Data Manager
49 Charles Avenue
Middlebury, VT 05753
[log in to unmask]
802-382-1720

On Thu, Feb 9, 2017 at 10:01 AM, Raymond Ballou <[log in to unmask]> wrote:
Edith

Not sure why it doesn't list change password, but here are the suggestions from Google.

https://support.google.com/a/answer/2984349?hl=en


R

-----------------------------------------------------------------------

Search the SCHOOL-IT Archive

Manage your Subscription to SCHOOL-IT


-----------------------------------------------------------------------

Search the SCHOOL-IT Archive

Manage your Subscription to SCHOOL-IT


-----------------------------------------------------------------------

Search the SCHOOL-IT Archive

Manage your Subscription to SCHOOL-IT


-----------------------------------------------------------------------

Search the SCHOOL-IT Archive

Manage your Subscription to SCHOOL-IT

--
David McClellan
Technology Support Specialist
Chittenden East Supervisory Union
Backup Mobile: (802) 448 - 0329

This e-mail may contain information protected under the Family Educational Rights and Privacy Act (FERPA). If this e-mail contains student information and you are not entitled to access such information under FERPA, please notify the sender. Federal regulations require that you destroy this e-mail without reviewing it and you may not forward it to anyone. 

-----------------------------------------------------------------------

Search the SCHOOL-IT Archive

Manage your Subscription to SCHOOL-IT


-----------------------------------------------------------------------

Search the SCHOOL-IT Archive

Manage your Subscription to SCHOOL-IT



CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.

-----------------------------------------------------------------------

Search the SCHOOL-IT Archive

Manage your Subscription to SCHOOL-IT