Delivered-To: [log in to unmask] Received: by 10.157.12.155 with SMTP id b27csp265855otb; Thu, 9 Feb 2017 05:36:05 -0800 (PST) X-Received: by 10.129.118.77 with SMTP id j13mr2242697ywk.270.1486647365266; Thu, 09 Feb 2017 05:36:05 -0800 (PST) Return-Path: <[log in to unmask]> Received: from mail-yw0-x244.google.com (mail-yw0-x244.google.com. [2607:f8b0:4002:c05::244]) by mx.google.com with ESMTPS id p193si504832ybg.263.2017.02.09.05.36.05 for <[log in to unmask]> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Feb 2017 05:36:05 -0800 (PST) Received-SPF: neutral (google.com: 2607:f8b0:4002:c05::244 is neither permitted nor denied by best guess record for domain of [log in to unmask]) client-ip=2607:f8b0:4002:c05::244; Authentication-Results: mx.google.com; dkim=pass header.i=@beschool-org.20150623.gappssmtp.com; spf=neutral (google.com: 2607:f8b0:4002:c05::244 is neither permitted nor denied by best guess record for domain of [log in to unmask]) smtp.mailfrom=[log in to unmask] Received: by mail-yw0-x244.google.com with SMTP id u68so284402ywg.0 for <[log in to unmask]>; Thu, 09 Feb 2017 05:36:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=beschool-org.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=p8Q4mmR+ZloPt9MxTFU4D0BK5NEE720i2AzPZhYs5ts=; b=st87TXF/ZxLcW7kIQZn+sBP4CdwcPjxDGzme9bau3NMOwANTBIrDeM/9wDjVZR2knW SbIROFvItRmOo2svQ/jXdNAu8r17xM0A/0zioX58PdORI/mqSR9Zog+b9oy+jo5KUAnd sX5vxcW8Gec4a+Ls4eqKS+WsRDugYZIqKjFx4NQR5ksDZvVWNmh16izB0TGlOIAS+CO7 Ztp2P17vI9TOy9HaSVVNvNyiQZO5FqwkLdprdrjy0UqKjAaM7yjgIU1b7qQLeyHDv/Ln sHb9yM/WGC4XPEprUml9D3keYU25MMsuOCdN4vQ97tKOkCVPqcHFnipUc7Fig19mqiG4 GU/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=p8Q4mmR+ZloPt9MxTFU4D0BK5NEE720i2AzPZhYs5ts=; b=gDgAnHh7seW5/ZpkNZH2tJGiRsDkAqkyCalfsM+XyV/3FSk+C1Hk88LAKPuGhhdoyD 92OjwtonWKrGdA0QlAnZ6xm7Ki++21Qk1HjiGsgfsxntQb9c2ty99k6lNX/BKuOYAz9b SyGR/MjJPPFV+1ttJ5dPW9nYtHoIJAwbFxM15mu8i5d0aXBnjIjvnwHic3zAwhU6a1pK zaxJuhp/B1rbeAHCAhNeQxNliRQirPRImYU8IFuf0i1/OHQwDcaKIM1cW1BiSWl3Rej5 5GfucJbUpPmNyo0/dIoakgJ4AKoKcAu5IlCj5wtuvljJIB0foXfgNQ/ZH8Ve9kB0CNfg Ji4Q== X-Gm-Message-State: AMke39meRKrQIlBCi/b1td+HPKj1LNmo6fARAfngy0QKa4QBRglJK37maSp67CZvRG3jUVcoyfPq/Ci+Axh+k7cPbGo= X-Received: by 10.129.152.77 with SMTP id p74mr2064320ywg.177.1486647364611; Thu, 09 Feb 2017 05:36:04 -0800 (PST) MIME-Version: 1.0 Received: by 10.37.123.7 with HTTP; Thu, 9 Feb 2017 05:36:01 -0800 (PST) From: Cathy Roberts <[log in to unmask]> Date: Thu, 9 Feb 2017 05:36:01 -0800 Message-ID: <[log in to unmask]> Subject: Secured Message To: undisclosed-recipients:; Content-Type: multipart/mixed; boundary=94eb2c0bbf5613479005481910fc Bcc: [log in to unmask] --94eb2c0bbf5613479005481910fc Content-Type: multipart/alternative; boundary=94eb2c0bbf5613478b05481910fa --94eb2c0bbf5613478b05481910fa Content-Type: text/plain; charset=UTF-8 Please see attached document for your review. Thanks --94eb2c0bbf5613478b05481910fa Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><span style=3D"font-size:12.8px;line-height:normal">Please= see attached document for your review.</span><br style=3D"font-size:12.8px= ;line-height:normal"><br style=3D"font-size:12.8px;line-height:normal"><br = style=3D"font-size:12.8px;line-height:normal"><span style=3D"font-size:12.8= px;line-height:normal">Thanks</span><br></div> --94eb2c0bbf5613478b05481910fa-- --94eb2c0bbf5613479005481910fc Content-Type: application/pdf; name="Document2017-09-02-075055.pdf" Content-Disposition: attachment; filename="Document2017-09-02-075055.pdf" Content-Transfer-Encoding: base64 X-Attachment-Id: f_iyyffr0t0 --94eb2c0bbf5613479005481910fc--
Agreed. I've seen that actually more often. Be sure to point out that you need the headers of the original they received.On Fri, Feb 10, 2017 at 9:04 AM, David McClellan <[log in to unmask]> wrote:Not to discount the possibility of the account being compromised, but I'm with Bill Fitzgerald here. I'd check the headers of the sent mail, I'd be willing to bet the address was spoofed. Maybe have the recipients of the email forward it back to you to see what you can in the headers?Good luck,
Also, just so the email address can't be spoofed, make sure that you have SPF, DKIM, and DMARC records set up.Cheers,BillOn Thu, Feb 9, 2017 at 12:55 PM, Scott Grant <[log in to unmask]> wrote:Most of these suggestions assume Google email accounts. Here's what I'd suggest to summarize:Disable the account first! (already done)Review where the account had been logged into. Get screen captures of the data.Change the password.Consider having the user leverage a second-factor for authentication.Reset sign in cookies as per another suggestion.Run AV on the user's computer(s).Ensure a level of password complexity for the new password.Re-enable the account.Review their Sent messages and ALL Mail views. Also ensure they are receiving emails correctly. Sometimes hackers will add a rule to GMail to archive all inbound messages. This way, the owner doesn't see the delivery failures, etc.Verify where they access their email from. Is it from home as well on a different computer? Suggest they run AV there as well.That's the basics.On Thu, Feb 9, 2017 at 10:06 AM, Christine Gibson <[log in to unmask]> wrote:I would also suggest that you reset the sign-in cookies. This will kick out anyone who may have been signed into the account. Simply changing the password does not terminate all current sessions. You can find the switch to reset the sign-in cookies under Account in the Google Admin Console.On Thu, Feb 9, 2017 at 10:01 AM, Raymond Ballou <[log in to unmask]> wrote:EdithNot sure why it doesn't list change password, but here are the suggestions from Google.R------------------------------
------------------------------ ----------- Search the SCHOOL-IT Archive
Manage your Subscription to SCHOOL-IT
------------------------------
------------------------------ ----------- Search the SCHOOL-IT Archive
Manage your Subscription to SCHOOL-IT
--David McClellanTechnology Support SpecialistChittenden East Supervisory UnionMobile: (802) 458 - 7327Backup Mobile: (802) 448 - 0329
This e-mail may contain information protected under the Family Educational Rights and Privacy Act (FERPA). If this e-mail contains student information and you are not entitled to access such information under FERPA, please notify the sender. Federal regulations require that you destroy this e-mail without reviewing it and you may not forward it to anyone.
------------------------------
------------------------------ ----------- Search the SCHOOL-IT Archive
Manage your Subscription to SCHOOL-IT
-----------------------------------------------------------------------
Search the SCHOOL-IT Archive
Manage your Subscription to SCHOOL-IT