We have a client using GSuite and we have run into a problem where one of their users email addresses is being spoofed and is being used to send out emails to multiple clients of theirs. I have implemented Google DKIM, an SPF record with the -all hard failure, and DMARC, all of which have not helped. I have verified that no has logged directly into the Gmail account in question to send these emails, and log files from the remote servers that I could access show that the IP addresses that these spoofed emails come from are coming from places like China's Mobile Network. Is there a way to confirm that no one is using SMTP with this account to send these emails, or would that also show up in the login list?
Normally when an address is spoofed, it's not a big deal because spam filters will pick it up and block that email. The problem in this instance is that someone has stolen this users address book and is using that address book to send spoofed messages to all of their clients within that address book. Because the client companies in the address book most likely have the spoofed user's domain whitelisted, the spam emails come through to them anyway, even though they are obviously spoofed or spam and coming from random country IP addresses. This is a huge problem because the clients that are listed in the address book are getting spam from what looks like the user who is being spoofed and think that they've been hacked in some way (even though as far as I can tell, they're not) which translates to fear of doing business with the company getting their emails spoofed.
What can be done to resolve this? I'm looking for any solutions, no matter cost or time involved to resolve this.