We've also seen a big uptick in these lately - that is fake replies to
historical emails stolen from a downloaded mailbox.
I've seen it affect everything from normal IMAP-style hosting, to Gsuite
accounts and Office365 tenancies.
From the ones I've personally investigated, usually it seems the victim
fell for a phishing attack and willingly supplied their credentials
somewhere - we've certainly seen accounts affected that had no previous
breach recorded on IHBP or any of the usual leak-checking sources.
Generally, they have taken (at least a partial) dump of the mailbox and
will continue to send out these 'fake replies' to historical emails for
a week or so after securing the source account.
Hope that helps clarify some things :)
Cheers,
Ender
Snr. Systems Administrator
HostAway Pty Ltd
_______________________________________________
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog