How can scammer actually reply from a spoofed email address?
I (mostly) understand how a scammer can send an email from a spoofed account, all you need is an unsecured SMTP server.
But how is it possible, for a scammer to RESPOND and maintain an email conversation with the victim from the spoofed address? In this case, there was no "reply-to" and the domain is completely legitimate.
The only clue was that the mail address of the responder (scammer) was in some (not all) cases suffixed with a "1", i.e. events@legitdomain.com and events1@legitdomain.com.
My first thought was that the mail server at "legitdomain.com" was compromised, in which case pulling this off should be fairly simple since you can receive and respond to emails and create rules to redirect emails from target addresses so that the domain owner staff don't see them. You can also read incoming/outgoing emails to help with target selection, i.e. target a recently invoiced client that is about to make a payment and convince them that the banking details changed.
But is there a way to do this without having access to the mail server?
