Spoof email is using my domain name email address but target almost only my contact list with credible content body
Since yesterday, one of my work email addresses is used to send spoof emails with phishing attachments. SPF and DKIM was configured on my domain name but not DMARC, but since yesterday in the evening, everything is configured and I received a report this morning, so this point is ok. But this is not the main problem.
The scam email was sent almost only to the contact list and history used with this address (some suppliers), and the body was signed with the name of my coworker using this address and appeared really believable (like asking to confirm availability of some products listed in the attachment). So the hackers have had access at some point to the content of our mailbox, they are not only using our address to send some viagra related links, but in this case, why aren't they just using our credentials to send the mails ?
I am as confused as worried and I don't know where to look. I already have changed all passwords of all our domain email addresses ; the email address used by the hackers was logged in a few devices, all of them run on ubuntu except one on windows: this is obviously the main suspect (no offense haha), so I disconnected it from the network and ran an analysis but everything seems ok...
Everything appears to be ok from my point of view but knowing that someone somehow managed to watch our mailbox content really worry me, so I now rely on you and your ideas about this situation.
Thank you everyone for your attention, I may have forgot to tell you some details so don't hesitate to ask me.
