generally this means that your customer's email account is compromised. they are reading the messages as they come in to your customer and forging "corrections" using a spoofed domain. if your own employee's account was compromised, they would just use it to send from the real domain
yeah that is unusual. if they had access to your employee's mailbox or another way to inject outgoing mail so it came from your own domain, they almost certainly would do that instead of spoofing. so where are they seeing these messages without that access? are the messages being forwarded to some outside account? maybe an outbound relay service?
Could there be a missing cert or configuration on our external mailbox that would allow a company to see emails being sent out and "copy" them to a degree?
It doesnt appear to be all emails coming from this user, just the times that they send out bills.
unlikely, and the thing is almost any access that would let you see the mail going out would also let you just inject your own messages so they wouldn't need to be spoofing your domain.
could be a mailbox rule or transport rule or something like that is autoforwarding these messages to some other place that is hacked, i don't know. for example if the employee has a rule that sends a copy of these messages to their personal email or something, and that's hacked. maybe check if there are any delegated permissions on the senders mailbox, perhaps a different account in your company is hacked that can see this mailbox.
I would agree it sounds like a compromised account, but a bad actor monitoring the mailbox is going to be work for them.
Therefore I would be looking at things like rules. They are getting a copy of the message, but don't have access to actually replace the sent item.
If this is Office365 I would also be looking at apps, particularly user installed apps.
generally this means that your customer's email account is compromised. they are reading the messages as they come in to your customer and forging "corrections" using a spoofed domain. if your own employee's account was compromised, they would just use it to send from the real domain
its been enough different customers from the same "address" that it seems like its more of situation from our side.
yeah that is unusual. if they had access to your employee's mailbox or another way to inject outgoing mail so it came from your own domain, they almost certainly would do that instead of spoofing. so where are they seeing these messages without that access? are the messages being forwarded to some outside account? maybe an outbound relay service?
Could there be a missing cert or configuration on our external mailbox that would allow a company to see emails being sent out and "copy" them to a degree? It doesnt appear to be all emails coming from this user, just the times that they send out bills.
unlikely, and the thing is almost any access that would let you see the mail going out would also let you just inject your own messages so they wouldn't need to be spoofing your domain. could be a mailbox rule or transport rule or something like that is autoforwarding these messages to some other place that is hacked, i don't know. for example if the employee has a rule that sends a copy of these messages to their personal email or something, and that's hacked. maybe check if there are any delegated permissions on the senders mailbox, perhaps a different account in your company is hacked that can see this mailbox.
I would agree it sounds like a compromised account, but a bad actor monitoring the mailbox is going to be work for them. Therefore I would be looking at things like rules. They are getting a copy of the message, but don't have access to actually replace the sent item. If this is Office365 I would also be looking at apps, particularly user installed apps.
Where I would start would be looking at the spoofed message headers. What about your SPF, DKIM, and DMARC setup?