This is NOT on my server, so it's harder for me to debug. But it's a client that I've helped a bit in the past, so I'm doing some value-added work. For clarity, I'll call him John.

John uses Microsoft Exchange. Today, one of the other employees in Exchange received an email that appeared to be John; the return address was John's, the signature file was his, and the email referenced the employee by name. The employee replied, and John replied back, this time referencing 2 other employees by name!

But John did not actually send either email.

The first email requested for a payment to be sent to one of their "clients", so it's VERY lucky that the employee called him before processing!

I was told by one of those employees that John had said that he saw the email in his own Sent folder, too. But that has not been confirmed.

Looking at the headers, I can't determine whether it originated from his Exchange or not. This is what I think is relevant (replacing his domain with "example.com"):

Authentication-Results: spf=fail (sender IP is 204.93.216.105)

smtp.mailfrom=example.com; example.com;

dkim=pass (signature was verified)

header.d=ihomepedia.com;example.com; dmarc=none action=none

header.from=example.com;compauth=fail reason=601

Received-SPF: Fail (protection.outlook.com: domain of

example.com does not designate 204.93.216.105 as permitted

sender) receiver=protection.outlook.com; client-ip=204.93.216.105;

helo=vps.ihomepedia.com;

I have the whole header, but it's 200 lines so I didn't want to overwhelm you :-) I can post any of it that you want to see, though.

To me, the email looks to be originating from a separate IP (204.93.216.105), so they wouldn't have actually gained access to his account or server. But how did they copy his signature file and know employee names?

And it passed DKIM?