This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

Spoofed Email - Phishing reports\Investigation tool

E8419
New Contributor III

‎09-21-2023 11:16 AM

Hello

 

I know I need to get my DMARC setup finished, but in the meantime I have something that has been bothering me.

 

We had someone spoof on our principals email address.  It came through with a warning from Google to be wary of this email, but if you dig deeper it did not appear to be a hack of her account, but just someone sending email as her\us.  It had a different reply to address and said up the top user@domain.com via another party.

 

Interestingly I had the user click the report phishing and I received an email to my admin account that the phish report had been made, but since the email was spoofed the phish report said that it was against(actor) my user@domain.com.  Am I missing something?  Should I be digging deeper into this users account?  or is this just a matter of needing to get my DMARC record straight and that is the only answer.

 

Also, if I do a search in the investigative tool the email there as coming from user@domain.com - this isn't right though it is pretty clearly a spoofed email sent from a server in Europe.  How is the investigation tool populated?  

 

We do have 2 factor on all accounts, but this just appears to be a spoof.

 

Just wanted to make sure I am crossing my ts.

 

Thanks

Topics:
Reply
2 REPLIES 2

MattFeider
New Contributor II

‎09-21-2023 11:34 AM

have you first made sure your SPF record is correct?  SPF is the first step and will prevent someone elsewhere in the world sending as your domain, rather not really prevent...but it will communicate to all receiving email systems where valid email for your domain can originate from.  So it is up to you to allow via SPF config the servers that are authorized to send on behalf of your domain.

Matt

0 Kudos
Reply

Kim_Nilsson
Admin Moderator

‎09-22-2023 12:43 AM

Yeah, everyone really needs to read  through and adjust their DNS according to this support article.

SPF, DKIM and DMARC should be one of the first things to set up on a new Workspace account.

DMARC reject is also the only real option to use, and should be set as soon as possible after SPF and DKIM are working.

--
https://wheretofind.me/@NoSubstitute
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines